tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 43463] Change default location of JkShmFile
Date Tue, 28 Jun 2011 07:44:15 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=43463

--- Comment #4 from Ross Johnson <Ross.Johnson@acma.gov.au> 2011-06-28 07:44:15 UTC
---
Really just an install gotcha but the default location on Redhat/CentOS with
SELinux enforced produces an error in the log:

[Sun Jun 05 04:02:02 2011] [1475:47614514131712] [error] init_jk::mod_jk.c
(3181): Initializing shm:/etc/httpd/logs/jk-runtime-status.1475 errno=13. Load
balancing workers will not function properly.

Setting SELinux to "Permissive" mode fixes the problem but this was not
acceptable so I chose to set JKShmFile explicitly to another location
(/var/run/httpd/mod_jk.shm).

Below is the "sealert" diagnostic from my server but please note that the fix
it suggests may be too broad for some security-conscious admins. Basically it
says that httpd does not have the correct context to write to the file
/var/log/httpd/jk-runtime-status.PID (even though that file does actually get
created).


The following command will allow this access:

setsebool -P httpd_unified=1

Additional Information:

Source Context                user_u:system_r:httpd_t
Target Context                user_u:object_r:httpd_log_t
Target Objects                ./jk-runtime-status.6564 [ file ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          my.host.domain
Source RPM Packages           httpd-2.2.3-45.el5.centos
Target RPM Packages
Policy RPM                    selinux-policy-2.4.6-279.el5_5.2
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   httpd_unified
Host Name                     my.host.domain
Platform                      Linux my.host.domain 2.6.18-194.32.1.el5xen
                              #1 SMP Wed Jan 5 18:44:24 EST 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Tue Jun 28 13:00:42 2011
Last Seen                     Tue Jun 28 13:00:42 2011
Local ID                      9c16d601-7a97-475f-b4cc-ae309a980e5f
Line Numbers

Raw Audit Messages

host=my.host.domain type=AVC msg=audit(1309230042.538:9038): avc:  denied  {
write } for  pid=6564 comm="httpd" name="jk-ru  ntime-status.6564" dev=dm-0
ino=196748 scontext=user_u:system_r:httpd_t:s0
tcontext=user_u:object_r:httpd_log_t:s0 tclass=file

host=my.host.domain type=SYSCALL msg=audit(1309230042.538:9038): arch=c000003e
syscall=77 success=no exit=-13 a0=11 a1=1c0   a2=2 a3=75746174732d656d items=0
ppid=6563 pid=6564 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) se  s=1452 comm="httpd" exe="/usr/sbin/httpd"
subj=user_u:system_r:httpd_t:s0 key=(null)

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message