selinux mod_jk woes

Support for the other architectures (X86_64, s390(x) and PowerPC)
Post Reply
roos
Posts: 7
Joined: 2006/04/26 08:36:23
Contact:

selinux mod_jk woes

Post by roos » 2006/04/26 09:41:02

I try to reconfigure Selinux to work in enforcing mode.
The only issue which prevents it, is the mod_jk connectors' shared memory file.
I currently run in permissive mode.

Problem:
It seems the apache server is creating the shm file as root and is then switching user context.
Therefore, I assume I need to extend the policy file for mod_jk.

Details:
The jk.shm file is placed in /var/cache/mod_jk/jk.shm

I tried to re-label the jk.shm.* dir/file by adding this line in /etc/selinux/targeted/contexts/files/file_contexts:
# by roos
/var/cache/mod_jk(/.*)? system_u:object_r:var_t
and relabled the /var/cache/mod_jk dir.

If I then start httpd, I get an error which seems to be caused by apache switching user context:

audit(1146044042.534:2): avc: denied { read write } for pid=3045 comm="httpd" name="jk.shm" dev=dm-3 ino=2506996 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:var_t tclass=file

Has anyone a solution for mod_jk and selinux?

Thanks in advance!

Robert

roos
Posts: 7
Joined: 2006/04/26 08:36:23
Contact:

Re: selinux mod_jk woes

Post by roos » 2006/04/26 15:13:22

I found the solution myself by evaluating the selinux policy source files.

There is a special directory where httpd and all modules are granted access to.
It is /var/cache/httpd.

This directory does not exist by default but it is in the default policy... Strange.

Here is what you need to do if you want to run mod_jk with enforced selinux policies:

1. create /var/cache/httpd
2. Label the directory
setfiles -v -l -d /etc/selinux/targeted/contexts/files/file_contexts /var/cache/httpd
3. change /etc/httpd/conf.d/mod_jk.conf to point the shm file to
/var/cache/httpd/jk.shm

Done.
No more complaints from selinux.

BTW: Is this a bug I should report in the bugtracker for CentOS4?


Robert

rubens_gomes
Posts: 4
Joined: 2007/01/08 15:46:42
Location: Dallas/Fort Worth, TX, USA
Contact:

Re: selinux mod_jk woes

Post by rubens_gomes » 2007/06/10 03:13:32

I have CentOS 5, and I can only get mod_jk to start on Permissive mode. When SELinux is set to Enforcing,
I see the following error when starting httpd:

audit(1181444744.546:95): avc: denied { execute } for pid=4926 comm="httpd" name="mod_jk.so" dev=sda3 ino=330284 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file

I have tried the following to no luck:

- enable SE httpd booleans (setsebool):
$ setsebool -P allow_http ..... (tried several possibiliites)
- set up a share directory (from previous posting)

Rubens
www.rubens-gomes.com

Post Reply

Return to “CentOS 4 - X86_64,s390(x) and PowerPC Support”