Uploaded image for project: 'JBoss Core Services'
  1. JBoss Core Services
  2. JBCS-2074

Starting archived JBCS Apache installed outside of /opt via systemd fails when SELinux is enforced

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Critical Critical
    • None
    • None
    • selinux
    • None
    • False
    • Hide

      None

      Show
      None
    • False

      In the latest archive release of JBCS Apache (2.4.62-SP2), deploying it to a location other than /opt/ results in a failure to start via systemd, as shown below.

      # systemctl start jbcs-httpd24-httpd
Job for jbcs-httpd24-httpd.service failed because of unavailable resources or another system error.
See "systemctl status jbcs-httpd24-httpd.service" and "journalctl -xeu jbcs-httpd24-httpd.service" for details.

// access /app/jbcs-httpd24-2.4/httpd/etc/sysconfig/httpd is rejected by selinux 
# journalctl -u jbcs-httpd24-httpd.service
Nov 20 10:53:05 ip-10-0-0-192.ap-northeast-1.compute.internal systemd[1]: jbcs-httpd24-httpd.service: Failed to load environment files: Permission denied
Nov 20 10:53:05 ip-10-0-0-192.ap-northeast-1.compute.internal systemd[1]: jbcs-httpd24-httpd.service: Failed to run 'start' task: Permission denied
Nov 20 10:53:05 ip-10-0-0-192.ap-northeast-1.compute.internal systemd[1]: jbcs-httpd24-httpd.service: Failed with result 'resources'.
Nov 20 10:53:05 ip-10-0-0-192.ap-northeast-1.compute.internal systemd[1]: Failed to start The Apache HTTP Server.

// because the label of the following directory is default_t, expected would be httpd_config_t 
# ls -lZ /app/jbcs-httpd24-2.4/httpd/etc/sysconfig
total 8
-rw-r--r--. 1 apache apache unconfined_u:object_r:default_t:s0 372 Nov 20 10:51 htcacheclean
-rw-r--r--. 1 apache apache unconfined_u:object_r:default_t:s0 980 Nov 20 10:51 httpd

      Wouldn't it also be necessary for jbcs-httpd24-httpd.fc to assign the httpd_config_t label to HTTPD_HOME/etc?

      jbcs-httpd24-2.4/httpd/selinux/jbcs-httpd24-httpd.fc

      @@CWD@@/conf(/.*)?                 gen_context(system_u:object_r:httpd_config_t,s0)
@@CWD@@/conf.d(/.*)?               gen_context(system_u:object_r:httpd_config_t,s0)
@@CWD@@/conf.modules.d(/.*)?       gen_context(system_u:object_r:httpd_config_t,s0)
@@CWD@@/logs(/.*)?                 gen_context(system_u:object_r:httpd_log_t,s0)
@@CWD@@/modules(/.*)?              gen_context(system_u:object_r:httpd_modules_t,s0)
@@CWD@@/lib(/.*)?                  gen_context(system_u:object_r:httpd_modules_t,s0)
@@CWD@@/run(/.*)?                  gen_context(system_u:object_r:httpd_var_run_t,s0)
@@CWD@@/bin(/.*)?                  gen_context(system_u:object_r:httpd_exec_t,s0)
@@CWD@@/sbin(/.*)?                 gen_context(system_u:object_r:httpd_exec_t,s0)
@@CWD@@/cache(/.*)?                gen_context(system_u:object_r:httpd_cache_t,s0)
@@CWD@@/www(/.*)?                  gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@CWD@@/www/cgi-bin(/.*)?          gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@CWD@@/etc(/.*)?                  gen_context(system_u:object_r:httpd_config_t,s0)   <<<=== Would this line also be needed?

              rhn-support-csutherl Coty Sutherland
              rhn-support-nagetsum Norito Agetsuma
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: