Return-Path: 
 <dev-return-117439-apmail-tomcat-dev-archive=tomcat.apache.org@tomcat.apache.org>
X-Original-To: apmail-tomcat-dev-archive@www.apache.org
Delivered-To: apmail-tomcat-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 0BD296543
	for <apmail-tomcat-dev-archive@www.apache.org>;
 Tue, 28 Jun 2011 07:45:01 +0000 (UTC)
Received: (qmail 70805 invoked by uid 500); 28 Jun 2011 07:44:59 -0000
Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org
Received: (qmail 69864 invoked by uid 500); 28 Jun 2011 07:44:49 -0000
Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@tomcat.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@tomcat.apache.org>
List-Post: <mailto:dev@tomcat.apache.org>
List-Id: <dev.tomcat.apache.org>
Reply-To: "Tomcat Developers List" <dev@tomcat.apache.org>
Delivered-To: mailing list dev@tomcat.apache.org
Received: (qmail 69292 invoked by uid 99); 28 Jun 2011 07:44:40 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 28 Jun 2011 07:44:40 +0000
X-ASF-Spam-Status: No, hits=-2000.0 required=5.0
	tests=ALL_TRUSTED
X-Spam-Check-By: apache.org
Received: from [140.211.11.115] (HELO eir.zones.apache.org) (140.211.11.115)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 28 Jun 2011 07:44:37 +0000
Received: by eir.zones.apache.org (Postfix, from userid 80)
	id 1889548FB0; Tue, 28 Jun 2011 07:44:16 +0000 (UTC)
From: bugzilla@apache.org
To: dev@tomcat.apache.org
Subject: DO NOT REPLY [Bug 43463] Change default location of JkShmFile
Date: Tue, 28 Jun 2011 07:44:15 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Tomcat Connectors
X-Bugzilla-Component: Common
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: Ross.Johnson@acma.gov.au
X-Bugzilla-Status: CLOSED
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: dev@tomcat.apache.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-43463-78-Py4KpbJMeG@https.issues.apache.org/bugzilla/>
In-Reply-To: <bug-43463-78@https.issues.apache.org/bugzilla/>
References: <bug-43463-78@https.issues.apache.org/bugzilla/>
X-Bugzilla-URL: https://issues.apache.org/bugzilla/
Auto-Submitted: auto-generated
Content-Type: text/plain; charset="UTF-8"
MIME-Version: 1.0
X-Virus-Checked: Checked by ClamAV on apache.org

https://issues.apache.org/bugzilla/show_bug.cgi?id=43463

--- Comment #4 from Ross Johnson <Ross.Johnson@acma.gov.au> 2011-06-28 07:44:15 UTC ---
Really just an install gotcha but the default location on Redhat/CentOS with
SELinux enforced produces an error in the log:

[Sun Jun 05 04:02:02 2011] [1475:47614514131712] [error] init_jk::mod_jk.c
(3181): Initializing shm:/etc/httpd/logs/jk-runtime-status.1475 errno=13. Load
balancing workers will not function properly.

Setting SELinux to "Permissive" mode fixes the problem but this was not
acceptable so I chose to set JKShmFile explicitly to another location
(/var/run/httpd/mod_jk.shm).

Below is the "sealert" diagnostic from my server but please note that the fix
it suggests may be too broad for some security-conscious admins. Basically it
says that httpd does not have the correct context to write to the file
/var/log/httpd/jk-runtime-status.PID (even though that file does actually get
created).


The following command will allow this access:

setsebool -P httpd_unified=1

Additional Information:

Source Context                user_u:system_r:httpd_t
Target Context                user_u:object_r:httpd_log_t
Target Objects                ./jk-runtime-status.6564 [ file ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          my.host.domain
Source RPM Packages           httpd-2.2.3-45.el5.centos
Target RPM Packages
Policy RPM                    selinux-policy-2.4.6-279.el5_5.2
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   httpd_unified
Host Name                     my.host.domain
Platform                      Linux my.host.domain 2.6.18-194.32.1.el5xen
                              #1 SMP Wed Jan 5 18:44:24 EST 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Tue Jun 28 13:00:42 2011
Last Seen                     Tue Jun 28 13:00:42 2011
Local ID                      9c16d601-7a97-475f-b4cc-ae309a980e5f
Line Numbers

Raw Audit Messages

host=my.host.domain type=AVC msg=audit(1309230042.538:9038): avc:  denied  {
write } for  pid=6564 comm="httpd" name="jk-ru  ntime-status.6564" dev=dm-0
ino=196748 scontext=user_u:system_r:httpd_t:s0
tcontext=user_u:object_r:httpd_log_t:s0 tclass=file

host=my.host.domain type=SYSCALL msg=audit(1309230042.538:9038): arch=c000003e
syscall=77 success=no exit=-13 a0=11 a1=1c0   a2=2 a3=75746174732d656d items=0
ppid=6563 pid=6564 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) se  s=1452 comm="httpd" exe="/usr/sbin/httpd"
subj=user_u:system_r:httpd_t:s0 key=(null)

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org