Page 1 of 1

selinux mod_jk woes

Posted: 2006/04/26 09:41:02
by roos
I try to reconfigure Selinux to work in enforcing mode.
The only issue which prevents it, is the mod_jk connectors' shared memory file.
I currently run in permissive mode.

Problem:
It seems the apache server is creating the shm file as root and is then switching user context.
Therefore, I assume I need to extend the policy file for mod_jk.

Details:
The jk.shm file is placed in /var/cache/mod_jk/jk.shm

I tried to re-label the jk.shm.* dir/file by adding this line in /etc/selinux/targeted/contexts/files/file_contexts:
# by roos
/var/cache/mod_jk(/.*)? system_u:object_r:var_t
and relabled the /var/cache/mod_jk dir.

If I then start httpd, I get an error which seems to be caused by apache switching user context:

audit(1146044042.534:2): avc: denied { read write } for pid=3045 comm="httpd" name="jk.shm" dev=dm-3 ino=2506996 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:var_t tclass=file

Has anyone a solution for mod_jk and selinux?

Thanks in advance!

Robert

Re: selinux mod_jk woes

Posted: 2006/04/26 15:13:22
by roos
I found the solution myself by evaluating the selinux policy source files.

There is a special directory where httpd and all modules are granted access to.
It is /var/cache/httpd.

This directory does not exist by default but it is in the default policy... Strange.

Here is what you need to do if you want to run mod_jk with enforced selinux policies:

1. create /var/cache/httpd
2. Label the directory
setfiles -v -l -d /etc/selinux/targeted/contexts/files/file_contexts /var/cache/httpd
3. change /etc/httpd/conf.d/mod_jk.conf to point the shm file to
/var/cache/httpd/jk.shm

Done.
No more complaints from selinux.

BTW: Is this a bug I should report in the bugtracker for CentOS4?


Robert

Re: selinux mod_jk woes

Posted: 2007/06/10 03:13:32
by rubens_gomes
I have CentOS 5, and I can only get mod_jk to start on Permissive mode. When SELinux is set to Enforcing,
I see the following error when starting httpd:

audit(1181444744.546:95): avc: denied { execute } for pid=4926 comm="httpd" name="mod_jk.so" dev=sda3 ino=330284 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file

I have tried the following to no luck:

- enable SE httpd booleans (setsebool):
$ setsebool -P allow_http ..... (tried several possibiliites)
- set up a share directory (from previous posting)

Rubens
www.rubens-gomes.com