- move SELinux context logging to mod_systemd from httpd binary

2022-06-17 12:21:04 +01:00 · 2022-06-17 12:21:04 +01:00 · 8c54e332bb
commit 8c54e332bb
parent b0e7cd798e
3 changed files with 71 additions and 62 deletions
--- a/httpd-2.4.54-gettid.patch
+++ b/httpd-2.4.54-gettid.patch
@ -14,9 +14,9 @@ Subject: [PATCH] Check and use gettid() directly with glibc 2.30+.

 diff --git a/configure.in b/configure.in
 index 423d58d4b9a..60cbf7b7f81 100644
--- httpd-2.4.43/configure.in.gettid
-+++ httpd-2.4.43/configure.in
-@@ -478,7 +500,8 @@
+--- httpd-2.4.54/configure.in.gettid
+++ httpd-2.4.54/configure.in
+@@ -502,22 +502,26 @@
 timegm \
 getpgid \
 fopen64 \
@ -26,9 +26,7 @@ index 423d58d4b9a..60cbf7b7f81 100644
 )
 
 dnl confirm that a void pointer is large enough to store a long integer
-@@ -489,16 +512,19 @@
-    APR_ADDTO(HTTPD_LIBS, [-lselinux])
- ])
+ APACHE_CHECK_VOID_PTR_LEN
 
 -AC_CACHE_CHECK([for gettid()], ac_cv_gettid,
 +if test $ac_cv_func_gettid = no; then
@ -50,8 +48,8 @@ index 423d58d4b9a..60cbf7b7f81 100644
 fi
 
 dnl ## Check for the tm_gmtoff field in struct tm to get the timezone diffs
--- httpd-2.4.43/server/log.c.gettid
-+++ httpd-2.4.43/server/log.c
+--- httpd-2.4.54/server/log.c.gettid
+++ httpd-2.4.54/server/log.c
@@ -55,7 +55,7 @@
 #include "ap_mpm.h"
 #include "ap_listen.h"
@ -61,7 +59,7 @@ index 423d58d4b9a..60cbf7b7f81 100644
 #include <sys/syscall.h>
 #include <sys/types.h>
 #endif
-@@ -625,14 +625,18 @@
+@@ -627,14 +627,18 @@
 #if APR_HAS_THREADS
     int result;
 #endif
@ -82,7 +80,7 @@ index 423d58d4b9a..60cbf7b7f81 100644
 #if APR_HAS_THREADS
     if (ap_mpm_query(AP_MPMQ_IS_THREADED, &result) == APR_SUCCESS
         && result != AP_MPMQ_NOT_SUPPORTED)
-@@ -966,7 +970,7 @@
+@@ -968,7 +972,7 @@
 #if APR_HAS_THREADS
         field_start = len;
         len += cpystrn(buf + len, ":tid ", buflen - len);
--- a/httpd-2.4.54-selinux.patch
+++ b/httpd-2.4.54-selinux.patch
@ -1,24 +1,22 @@
 diff --git a/configure.in b/configure.in
 index 74015ca..8c0ee10 100644
--- a/configure.in
-+++ b/configure.in
-@@ -508,6 +508,11 @@ getloadavg
- dnl confirm that a void pointer is large enough to store a long integer
- APACHE_CHECK_VOID_PTR_LEN
- 
-+AC_CHECK_LIB(selinux, is_selinux_enabled, [
-+   AC_DEFINE(HAVE_SELINUX, 1, [Defined if SELinux is supported])
-+   APR_ADDTO(HTTPD_LIBS, [-lselinux])
-+])
-+
- AC_CACHE_CHECK([for gettid()], ac_cv_gettid,
- [AC_TRY_RUN(#define _GNU_SOURCE
- #include <unistd.h>
-diff --git a/server/core.c b/server/core.c
-index a6fa2fb..cf4cba4 100644
--- a/server/core.c
-+++ b/server/core.c
-@@ -65,6 +65,10 @@
+--- httpd-2.4.54/modules/arch/unix/config5.m4.selinux
+++ httpd-2.4.54/modules/arch/unix/config5.m4
+@@ -23,6 +23,11 @@
+     AC_MSG_WARN([Your system does not support systemd.])
+     enable_systemd="no"
+   else
+    AC_CHECK_LIB(selinux, is_selinux_enabled, [
+      AC_DEFINE(HAVE_SELINUX, 1, [Defined if SELinux is supported])
+      APR_ADDTO(MOD_SYSTEMD_LDADD, [-lselinux])
+    ])
+  
+     APR_ADDTO(MOD_SYSTEMD_LDADD, [$SYSTEMD_LIBS])
+   fi
+ ])
+--- httpd-2.4.54/modules/arch/unix/mod_systemd.c.selinux
+++ httpd-2.4.54/modules/arch/unix/mod_systemd.c
+@@ -35,6 +35,10 @@
 #include <unistd.h>
 #endif
 
@ -26,35 +24,38 @@ index a6fa2fb..cf4cba4 100644
 +#include <selinux/selinux.h>
 +#endif
 +
- /* LimitRequestBody handling */
- #define AP_LIMIT_REQ_BODY_UNSET         ((apr_off_t) -1)
- #define AP_DEFAULT_LIMIT_REQ_BODY       ((apr_off_t) 1<<30) /* 1GB */
-@@ -5150,6 +5154,28 @@ static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *pte
-     }
- #endif
+ APR_DECLARE_OPTIONAL_FN(int,
+                         ap_find_systemd_socket, (process_rec *, apr_port_t));
 
-+#ifdef HAVE_SELINUX
-+    {
-+        static int already_warned = 0;
-+        int is_enabled = is_selinux_enabled() > 0;
-+        
-+        if (is_enabled && !already_warned) {
-+            security_context_t con;
-+            
-+            if (getcon(&con) == 0) {
-+                
-+                ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
-+                             "SELinux policy enabled; "
-+                             "httpd running as context %s", con);
-+                
-+                already_warned = 1;
-+                
-+                freecon(con);
-+            }
-+        }
-+    }
-+#endif
-+
-     return OK;
+@@ -70,6 +74,20 @@
+     return apr_psprintf(p, "%s port %u", addr, sa->port);
 }
 
+#ifdef HAVE_SELINUX
+static void log_selinux_context(void)
+{
+    char *con;
+
+    if (is_selinux_enabled() && getcon(&con) == 0) {
+        ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
+                     "SELinux policy enabled; "
+                     "httpd running as context %s", con);
+        freecon(con);
+    }
+}
+#endif
+
+ /* Report the service is ready in post_config, which could be during
+  * startup or after a reload.  The server could still hit a fatal
+  * startup error after this point during ap_run_mpm(), so this is
+@@ -87,6 +105,10 @@
+     if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG)
+         return OK;
+ 
+#ifdef HAVE_SELINUX
+    log_selinux_context();
+#endif
+    
+     for (lr = ap_listeners; lr; lr = lr->next) {
+         char *s = dump_listener(lr, ptemp);
+ 
--- a/httpd.spec
+++ b/httpd.spec
@ -24,7 +24,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.54
-Release: 8%{?dist}
+Release: 9%{?dist}
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
@ -86,7 +86,7 @@ Patch22: httpd-2.4.43-mod_systemd.patch
 Patch23: httpd-2.4.53-export.patch
 Patch24: httpd-2.4.43-corelimit.patch
 Patch25: httpd-2.4.54-selinux.patch
-Patch26: httpd-2.4.43-gettid.patch
+Patch26: httpd-2.4.54-gettid.patch
 Patch27: httpd-2.4.54-icons.patch
 Patch30: httpd-2.4.43-cachehardmax.patch
 Patch34: httpd-2.4.43-socket-activation.patch
@ -150,7 +150,7 @@ The httpd-core package contains essential httpd binaries.
 %package devel
 Summary: Development interfaces for the Apache HTTP Server
 Requires: apr-devel, apr-util-devel, pkgconfig, libtool
-Requires: httpd-core = %{version}-%{release}
+Requires: httpd-core = 0:%{version}-%{release}

 %description devel
 The httpd-devel package contains the APXS binary and other files
@ -254,7 +254,6 @@ written in the Lua programming language.
 %patch22 -p1 -b .mod_systemd
 %patch23 -p1 -b .export
 %patch24 -p1 -b .corelimit
-%patch25 -p1 -b .selinux
 %patch26 -p1 -b .gettid
 %patch27 -p1 -b .icons
 %patch30 -p1 -b .cachehardmax
@ -266,6 +265,7 @@ written in the Lua programming language.
 %patch42 -p1 -b .r1828172+
 %patch45 -p1 -b .logjournal
 %patch46 -p1 -b .separatesystemd
+%patch25 -p1 -b .selinux

 %patch60 -p1 -b .enable-sslv3
 %patch61 -p1 -b .r1878890
@ -384,6 +384,13 @@ export LYNX_PATH=/usr/bin/links
        --disable-http2 \
        --disable-md \
        $*
+
+if grep -q ac_cv_have_threadsafe_pollset=no config.log; then
+   cat config.log
+   : Failed to find thread-safe APR.
+   exit 1
+fi
+
 %make_build

 %install
@ -840,6 +847,9 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd

 %changelog
+* Mon Dec 19 2022 Joe Orton <jorton@redhat.com> - 2.4.54-9
+- move SELinux context logging to mod_systemd
+
 * Mon Dec 19 2022 Joe Orton <jorton@redhat.com> - 2.4.54-8
 - define _httpd_statedir macro