2 Replies Latest reply on Jun 2, 2014 11:46 AM by Paul B

    SELinux prevents httpd shutdown

    Paul B Newbie

      I am in process of setting up httpd servers that will serve as proxies for tomcat.  I've gone through several steps to allow SELinux to work on these servers, however:

       

      Using the SELinux policy module defined here: Chapter 17. Frequently Asked questions in 17.9 httpd can start while SELinux is enforcing, but it cannot shut down.  Because the clean shutdown fails upon reboot, httpd does not start after reboot until you manually start the service.  The manual start always succeeds.

       

      In the apache error_log you can see that SELinux is preventing the shutdown:

       

      [root@proxy ~]# tail /var/log/messages

      May 29 11:45:59 proxy01 setroubleshoot: SELinux is preventing /usr/sbin/httpd from remove_name access on the directory manager.node.nodes. For complete SELinux messages. run sealert -l 30fa55db-6b4e-40ea-ba06-d4e7095ad735

      [root@proxy ~]# sealert -l 30fa55db-6b4e-40ea-ba06-d4e7095ad735

      SELinux is preventing /usr/sbin/httpd from remove_name access on the directory manager.node.nodes.

       

      *****  Plugin catchall (100. confidence) suggests  ***************************

       

      If you believe that httpd should be allowed remove_name access on the manager.node.nodes directory by default.

      Then you should report this as a bug.

      You can generate a local policy module to allow this access.

      Do

      allow this access for now by executing:

      # grep httpd /var/log/audit/audit.log | audit2allow -M mypol

      # semodule -i mypol.pp

       

      Does anyone know how the policy should be modified to allow a clean shutdown?

        • 1. Re: SELinux prevents httpd shutdown
          Jean-Frederic Clere Master

          I never had that problem which version of RHEL or Fedora are you using?

          • 2. Re: SELinux prevents httpd shutdown
            Paul B Newbie

            RHEL 6.5 x86_64.

             

            I should add that the problem is because files aren't removed when httpd shuts down.  If I manually delete manager* after the shutdown the service starts after reboot.

             

            [root@proxy01 ~]# ls -l /var/log/httpd/manager*

            -rw-r--r--. 1 root root     8 Jun  1 03:37 /var/log/httpd/manager.balancer.balancers

            -rw-r--r--. 1 root root     0 May 30 09:59 /var/log/httpd/manager.balancer.balancers.lock

            -rw-r--r--. 1 root root  2804 Jun  1 03:37 /var/log/httpd/manager.balancer.balancers.slotmem

            -rw-r--r--. 1 root root     8 Jun  1 03:37 /var/log/httpd/manager.context.contexts

            -rw-r--r--. 1 root root     0 May 30 09:59 /var/log/httpd/manager.context.contexts.lock

            -rw-r--r--. 1 root root 11604 Jun  1 03:37 /var/log/httpd/manager.context.contexts.slotmem

            -rw-r--r--. 1 root root     8 Jun  1 03:37 /var/log/httpd/manager.domain.domain

            -rw-r--r--. 1 root root     0 May 30 09:59 /var/log/httpd/manager.domain.domain.lock

            -rw-r--r--. 1 root root  3284 Jun  1 03:37 /var/log/httpd/manager.domain.domain.slotmem

            -rw-r--r--. 1 root root     8 Jun  1 03:37 /var/log/httpd/manager.host.hosts

            -rw-r--r--. 1 root root     0 May 30 09:59 /var/log/httpd/manager.host.hosts.lock

            -rw-r--r--. 1 root root  2644 Jun  1 03:37 /var/log/httpd/manager.host.hosts.slotmem

            -rw-r--r--. 1 root root     8 Jun  1 03:37 /var/log/httpd/manager.jgroupsid.jgroupsids

            -rw-r--r--. 1 root root     0 May 30 09:59 /var/log/httpd/manager.jgroupsid.jgroupsids.lock

            -rw-r--r--. 1 root root     4 Jun  1 03:37 /var/log/httpd/manager.jgroupsid.jgroupsids.slotmem

            -rw-r--r--. 1 root root     8 Jun  1 03:37 /var/log/httpd/manager.node.nodes

            -rw-r--r--. 1 root root     0 May 30 09:59 /var/log/httpd/manager.node.nodes.lock

            -rw-r--r--. 1 root root 10484 Jun  1 03:37 /var/log/httpd/manager.node.nodes.slotmem

            -rw-r--r--. 1 root root     8 Jun  1 03:37 /var/log/httpd/manager.sessionid.sessionid

            -rw-r--r--. 1 root root     0 May 30 09:59 /var/log/httpd/manager.sessionid.sessionid.lock

            -rw-r--r--. 1 root root     4 Jun  1 03:37 /var/log/httpd/manager.sessionid.sessionid.slotmem

            [root@proxy01 ~]#