From 8c54e332bbb7b718fffccdd9340bca2ae5ec9b3a Mon Sep 17 00:00:00 2001
From: Joe Orton <jorton@redhat.com>
Date: Fri, 17 Jun 2022 12:21:04 +0100
Subject: [PATCH] - move SELinux context logging to mod_systemd from httpd
 binary

---
 ...-gettid.patch => httpd-2.4.54-gettid.patch | 18 ++--
 httpd-2.4.54-selinux.patch                    | 97 ++++++++++---------
 httpd.spec                                    | 18 +++-
 3 files changed, 71 insertions(+), 62 deletions(-)
 rename httpd-2.4.43-gettid.patch => httpd-2.4.54-gettid.patch (90%)

diff --git a/httpd-2.4.43-gettid.patch b/httpd-2.4.54-gettid.patch
similarity index 90%
rename from httpd-2.4.43-gettid.patch
rename to httpd-2.4.54-gettid.patch
index f80b3a7..dfc447b 100644
--- a/httpd-2.4.43-gettid.patch
+++ b/httpd-2.4.54-gettid.patch
@@ -14,9 +14,9 @@ Subject: [PATCH] Check and use gettid() directly with glibc 2.30+.
 
 diff --git a/configure.in b/configure.in
 index 423d58d4b9a..60cbf7b7f81 100644
---- httpd-2.4.43/configure.in.gettid
-+++ httpd-2.4.43/configure.in
-@@ -478,7 +500,8 @@
+--- httpd-2.4.54/configure.in.gettid
++++ httpd-2.4.54/configure.in
+@@ -502,22 +502,26 @@
  timegm \
  getpgid \
  fopen64 \
@@ -26,9 +26,7 @@ index 423d58d4b9a..60cbf7b7f81 100644
  )
  
  dnl confirm that a void pointer is large enough to store a long integer
-@@ -489,16 +512,19 @@
-    APR_ADDTO(HTTPD_LIBS, [-lselinux])
- ])
+ APACHE_CHECK_VOID_PTR_LEN
  
 -AC_CACHE_CHECK([for gettid()], ac_cv_gettid,
 +if test $ac_cv_func_gettid = no; then
@@ -50,8 +48,8 @@ index 423d58d4b9a..60cbf7b7f81 100644
  fi
  
  dnl ## Check for the tm_gmtoff field in struct tm to get the timezone diffs
---- httpd-2.4.43/server/log.c.gettid
-+++ httpd-2.4.43/server/log.c
+--- httpd-2.4.54/server/log.c.gettid
++++ httpd-2.4.54/server/log.c
 @@ -55,7 +55,7 @@
  #include "ap_mpm.h"
  #include "ap_listen.h"
@@ -61,7 +59,7 @@ index 423d58d4b9a..60cbf7b7f81 100644
  #include <sys/syscall.h>
  #include <sys/types.h>
  #endif
-@@ -625,14 +625,18 @@
+@@ -627,14 +627,18 @@
  #if APR_HAS_THREADS
      int result;
  #endif
@@ -82,7 +80,7 @@ index 423d58d4b9a..60cbf7b7f81 100644
  #if APR_HAS_THREADS
      if (ap_mpm_query(AP_MPMQ_IS_THREADED, &result) == APR_SUCCESS
          && result != AP_MPMQ_NOT_SUPPORTED)
-@@ -966,7 +970,7 @@
+@@ -968,7 +972,7 @@
  #if APR_HAS_THREADS
          field_start = len;
          len += cpystrn(buf + len, ":tid ", buflen - len);
diff --git a/httpd-2.4.54-selinux.patch b/httpd-2.4.54-selinux.patch
index 3868b3b..4d66bd8 100644
--- a/httpd-2.4.54-selinux.patch
+++ b/httpd-2.4.54-selinux.patch
@@ -1,24 +1,22 @@
 diff --git a/configure.in b/configure.in
 index 74015ca..8c0ee10 100644
---- a/configure.in
-+++ b/configure.in
-@@ -508,6 +508,11 @@ getloadavg
- dnl confirm that a void pointer is large enough to store a long integer
- APACHE_CHECK_VOID_PTR_LEN
- 
-+AC_CHECK_LIB(selinux, is_selinux_enabled, [
-+   AC_DEFINE(HAVE_SELINUX, 1, [Defined if SELinux is supported])
-+   APR_ADDTO(HTTPD_LIBS, [-lselinux])
-+])
-+
- AC_CACHE_CHECK([for gettid()], ac_cv_gettid,
- [AC_TRY_RUN(#define _GNU_SOURCE
- #include <unistd.h>
-diff --git a/server/core.c b/server/core.c
-index a6fa2fb..cf4cba4 100644
---- a/server/core.c
-+++ b/server/core.c
-@@ -65,6 +65,10 @@
+--- httpd-2.4.54/modules/arch/unix/config5.m4.selinux
++++ httpd-2.4.54/modules/arch/unix/config5.m4
+@@ -23,6 +23,11 @@
+     AC_MSG_WARN([Your system does not support systemd.])
+     enable_systemd="no"
+   else
++    AC_CHECK_LIB(selinux, is_selinux_enabled, [
++      AC_DEFINE(HAVE_SELINUX, 1, [Defined if SELinux is supported])
++      APR_ADDTO(MOD_SYSTEMD_LDADD, [-lselinux])
++    ])
++  
+     APR_ADDTO(MOD_SYSTEMD_LDADD, [$SYSTEMD_LIBS])
+   fi
+ ])
+--- httpd-2.4.54/modules/arch/unix/mod_systemd.c.selinux
++++ httpd-2.4.54/modules/arch/unix/mod_systemd.c
+@@ -35,6 +35,10 @@
  #include <unistd.h>
  #endif
  
@@ -26,35 +24,38 @@ index a6fa2fb..cf4cba4 100644
 +#include <selinux/selinux.h>
 +#endif
 +
- /* LimitRequestBody handling */
- #define AP_LIMIT_REQ_BODY_UNSET         ((apr_off_t) -1)
- #define AP_DEFAULT_LIMIT_REQ_BODY       ((apr_off_t) 1<<30) /* 1GB */
-@@ -5150,6 +5154,28 @@ static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *pte
-     }
- #endif
+ APR_DECLARE_OPTIONAL_FN(int,
+                         ap_find_systemd_socket, (process_rec *, apr_port_t));
  
-+#ifdef HAVE_SELINUX
-+    {
-+        static int already_warned = 0;
-+        int is_enabled = is_selinux_enabled() > 0;
-+        
-+        if (is_enabled && !already_warned) {
-+            security_context_t con;
-+            
-+            if (getcon(&con) == 0) {
-+                
-+                ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
-+                             "SELinux policy enabled; "
-+                             "httpd running as context %s", con);
-+                
-+                already_warned = 1;
-+                
-+                freecon(con);
-+            }
-+        }
-+    }
-+#endif
-+
-     return OK;
+@@ -70,6 +74,20 @@
+     return apr_psprintf(p, "%s port %u", addr, sa->port);
  }
  
++#ifdef HAVE_SELINUX
++static void log_selinux_context(void)
++{
++    char *con;
++
++    if (is_selinux_enabled() && getcon(&con) == 0) {
++        ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
++                     "SELinux policy enabled; "
++                     "httpd running as context %s", con);
++        freecon(con);
++    }
++}
++#endif
++
+ /* Report the service is ready in post_config, which could be during
+  * startup or after a reload.  The server could still hit a fatal
+  * startup error after this point during ap_run_mpm(), so this is
+@@ -87,6 +105,10 @@
+     if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG)
+         return OK;
+ 
++#ifdef HAVE_SELINUX
++    log_selinux_context();
++#endif
++    
+     for (lr = ap_listeners; lr; lr = lr->next) {
+         char *s = dump_listener(lr, ptemp);
+ 
diff --git a/httpd.spec b/httpd.spec
index c2c75ee..6908087 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -24,7 +24,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.54
-Release: 8%{?dist}
+Release: 9%{?dist}
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
@@ -86,7 +86,7 @@ Patch22: httpd-2.4.43-mod_systemd.patch
 Patch23: httpd-2.4.53-export.patch
 Patch24: httpd-2.4.43-corelimit.patch
 Patch25: httpd-2.4.54-selinux.patch
-Patch26: httpd-2.4.43-gettid.patch
+Patch26: httpd-2.4.54-gettid.patch
 Patch27: httpd-2.4.54-icons.patch
 Patch30: httpd-2.4.43-cachehardmax.patch
 Patch34: httpd-2.4.43-socket-activation.patch
@@ -150,7 +150,7 @@ The httpd-core package contains essential httpd binaries.
 %package devel
 Summary: Development interfaces for the Apache HTTP Server
 Requires: apr-devel, apr-util-devel, pkgconfig, libtool
-Requires: httpd-core = %{version}-%{release}
+Requires: httpd-core = 0:%{version}-%{release}
 
 %description devel
 The httpd-devel package contains the APXS binary and other files
@@ -254,7 +254,6 @@ written in the Lua programming language.
 %patch22 -p1 -b .mod_systemd
 %patch23 -p1 -b .export
 %patch24 -p1 -b .corelimit
-%patch25 -p1 -b .selinux
 %patch26 -p1 -b .gettid
 %patch27 -p1 -b .icons
 %patch30 -p1 -b .cachehardmax
@@ -266,6 +265,7 @@ written in the Lua programming language.
 %patch42 -p1 -b .r1828172+
 %patch45 -p1 -b .logjournal
 %patch46 -p1 -b .separatesystemd
+%patch25 -p1 -b .selinux
 
 %patch60 -p1 -b .enable-sslv3
 %patch61 -p1 -b .r1878890
@@ -384,6 +384,13 @@ export LYNX_PATH=/usr/bin/links
         --disable-http2 \
         --disable-md \
         $*
+
+if grep -q ac_cv_have_threadsafe_pollset=no config.log; then
+   cat config.log
+   : Failed to find thread-safe APR.
+   exit 1
+fi
+
 %make_build
 
 %install
@@ -840,6 +847,9 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
+* Mon Dec 19 2022 Joe Orton <jorton@redhat.com> - 2.4.54-9
+- move SELinux context logging to mod_systemd
+
 * Mon Dec 19 2022 Joe Orton <jorton@redhat.com> - 2.4.54-8
 - define _httpd_statedir macro