tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 43463] Change default location of JkShmFile
Date Tue, 28 Jun 2011 07:44:15 GMT

--- Comment #4 from Ross Johnson <> 2011-06-28 07:44:15 UTC
Really just an install gotcha but the default location on Redhat/CentOS with
SELinux enforced produces an error in the log:

[Sun Jun 05 04:02:02 2011] [1475:47614514131712] [error] init_jk::mod_jk.c
(3181): Initializing shm:/etc/httpd/logs/jk-runtime-status.1475 errno=13. Load
balancing workers will not function properly.

Setting SELinux to "Permissive" mode fixes the problem but this was not
acceptable so I chose to set JKShmFile explicitly to another location

Below is the "sealert" diagnostic from my server but please note that the fix
it suggests may be too broad for some security-conscious admins. Basically it
says that httpd does not have the correct context to write to the file
/var/log/httpd/jk-runtime-status.PID (even though that file does actually get

The following command will allow this access:

setsebool -P httpd_unified=1

Additional Information:

Source Context                user_u:system_r:httpd_t
Target Context                user_u:object_r:httpd_log_t
Target Objects                ./jk-runtime-status.6564 [ file ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Source RPM Packages           httpd-2.2.3-45.el5.centos
Target RPM Packages
Policy RPM                    selinux-policy-2.4.6-279.el5_5.2
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   httpd_unified
Host Name           
Platform                      Linux 2.6.18-194.32.1.el5xen
                              #1 SMP Wed Jan 5 18:44:24 EST 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Tue Jun 28 13:00:42 2011
Last Seen                     Tue Jun 28 13:00:42 2011
Local ID                      9c16d601-7a97-475f-b4cc-ae309a980e5f
Line Numbers

Raw Audit Messages type=AVC msg=audit(1309230042.538:9038): avc:  denied  {
write } for  pid=6564 comm="httpd" name="jk-ru  ntime-status.6564" dev=dm-0
ino=196748 scontext=user_u:system_r:httpd_t:s0
tcontext=user_u:object_r:httpd_log_t:s0 tclass=file type=SYSCALL msg=audit(1309230042.538:9038): arch=c000003e
syscall=77 success=no exit=-13 a0=11 a1=1c0   a2=2 a3=75746174732d656d items=0
ppid=6563 pid=6564 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) se  s=1452 comm="httpd" exe="/usr/sbin/httpd"
subj=user_u:system_r:httpd_t:s0 key=(null)

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message