- move SELinux context logging to mod_systemd from httpd binary

2022-06-17 12:21:04 +01:00 · 2022-06-17 12:21:04 +01:00 · 8c54e332bb
commit 8c54e332bb
parent b0e7cd798e
3 changed files with 71 additions and 62 deletions
--- a/httpd-2.4.54-gettid.patch
+++ b/httpd-2.4.54-gettid.patch
@ -14,9 +14,9 @@ Subject: [PATCH] Check and use gettid() directly with glibc 2.30+.
 diff --git a/configure.in b/configure.in
 index 423d58d4b9a..60cbf7b7f81 100644
--- httpd-2.4.43/configure.in.gettid
+--- httpd-2.4.54/configure.in.gettid
-+++ httpd-2.4.43/configure.in
+++ httpd-2.4.54/configure.in
-@@ -478,7 +500,8 @@
+@@ -502,22 +502,26 @@
 timegm \
 getpgid \
 fopen64 \
@ -26,9 +26,7 @@ index 423d58d4b9a..60cbf7b7f81 100644
 )
 dnl confirm that a void pointer is large enough to store a long integer
-@@ -489,16 +512,19 @@
+ APACHE_CHECK_VOID_PTR_LEN
    APR_ADDTO(HTTPD_LIBS, [-lselinux])
 ])
 -AC_CACHE_CHECK([for gettid()], ac_cv_gettid,
 +if test $ac_cv_func_gettid = no; then
@ -50,8 +48,8 @@ index 423d58d4b9a..60cbf7b7f81 100644
 fi
 dnl ## Check for the tm_gmtoff field in struct tm to get the timezone diffs
--- httpd-2.4.43/server/log.c.gettid
+--- httpd-2.4.54/server/log.c.gettid
-+++ httpd-2.4.43/server/log.c
+++ httpd-2.4.54/server/log.c
@@ -55,7 +55,7 @@
 #include "ap_mpm.h"
 #include "ap_listen.h"
@ -61,7 +59,7 @@ index 423d58d4b9a..60cbf7b7f81 100644
 #include <sys/syscall.h>
 #include <sys/types.h>
 #endif
-@@ -625,14 +625,18 @@
+@@ -627,14 +627,18 @@
 #if APR_HAS_THREADS
     int result;
 #endif
@ -82,7 +80,7 @@ index 423d58d4b9a..60cbf7b7f81 100644
 #if APR_HAS_THREADS
     if (ap_mpm_query(AP_MPMQ_IS_THREADED, &result) == APR_SUCCESS
         && result != AP_MPMQ_NOT_SUPPORTED)
-@@ -966,7 +970,7 @@
+@@ -968,7 +972,7 @@
 #if APR_HAS_THREADS
         field_start = len;
         len += cpystrn(buf + len, ":tid ", buflen - len);
--- a/httpd-2.4.54-selinux.patch
+++ b/httpd-2.4.54-selinux.patch
@ -1,24 +1,22 @@
 diff --git a/configure.in b/configure.in
 index 74015ca..8c0ee10 100644
--- a/configure.in
+--- httpd-2.4.54/modules/arch/unix/config5.m4.selinux
-+++ b/configure.in
+++ httpd-2.4.54/modules/arch/unix/config5.m4
-@@ -508,6 +508,11 @@ getloadavg
+@@ -23,6 +23,11 @@
- dnl confirm that a void pointer is large enough to store a long integer
+     AC_MSG_WARN([Your system does not support systemd.])
- APACHE_CHECK_VOID_PTR_LEN
+     enable_systemd="no"
- 
+   else
-+AC_CHECK_LIB(selinux, is_selinux_enabled, [
+    AC_CHECK_LIB(selinux, is_selinux_enabled, [
-+   AC_DEFINE(HAVE_SELINUX, 1, [Defined if SELinux is supported])
+      AC_DEFINE(HAVE_SELINUX, 1, [Defined if SELinux is supported])
-+   APR_ADDTO(HTTPD_LIBS, [-lselinux])
+      APR_ADDTO(MOD_SYSTEMD_LDADD, [-lselinux])
-+])
+    ])
-+
+  
- AC_CACHE_CHECK([for gettid()], ac_cv_gettid,
+     APR_ADDTO(MOD_SYSTEMD_LDADD, [$SYSTEMD_LIBS])
- [AC_TRY_RUN(#define _GNU_SOURCE
+   fi
- #include <unistd.h>
+ ])
-diff --git a/server/core.c b/server/core.c
+--- httpd-2.4.54/modules/arch/unix/mod_systemd.c.selinux
-index a6fa2fb..cf4cba4 100644
+++ httpd-2.4.54/modules/arch/unix/mod_systemd.c
--- a/server/core.c
+@@ -35,6 +35,10 @@
 +++ b/server/core.c
@@ -65,6 +65,10 @@
 #include <unistd.h>
 #endif
@ -26,35 +24,38 @@ index a6fa2fb..cf4cba4 100644
 +#include <selinux/selinux.h>
 +#endif
 +
- /* LimitRequestBody handling */
+ APR_DECLARE_OPTIONAL_FN(int,
- #define AP_LIMIT_REQ_BODY_UNSET         ((apr_off_t) -1)
+                         ap_find_systemd_socket, (process_rec *, apr_port_t));
 #define AP_DEFAULT_LIMIT_REQ_BODY       ((apr_off_t) 1<<30) /* 1GB */
@@ -5150,6 +5154,28 @@ static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *pte
     }
 #endif
-+#ifdef HAVE_SELINUX
+@@ -70,6 +74,20 @@
-+    {
+     return apr_psprintf(p, "%s port %u", addr, sa->port);
 +        static int already_warned = 0;
 +        int is_enabled = is_selinux_enabled() > 0;
 +        
 +        if (is_enabled && !already_warned) {
 +            security_context_t con;
 +            
 +            if (getcon(&con) == 0) {
 +                
 +                ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
 +                             "SELinux policy enabled; "
 +                             "httpd running as context %s", con);
 +                
 +                already_warned = 1;
 +                
 +                freecon(con);
 +            }
 +        }
 +    }
 +#endif
 +
     return OK;
 }
 +#ifdef HAVE_SELINUX
 +static void log_selinux_context(void)
 +{
 +    char *con;
 +
 +    if (is_selinux_enabled() && getcon(&con) == 0) {
 +        ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
 +                     "SELinux policy enabled; "
 +                     "httpd running as context %s", con);
 +        freecon(con);
 +    }
 +}
 +#endif
 +
 /* Report the service is ready in post_config, which could be during
  * startup or after a reload.  The server could still hit a fatal
  * startup error after this point during ap_run_mpm(), so this is
@@ -87,6 +105,10 @@
     if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG)
         return OK;
 +#ifdef HAVE_SELINUX
 +    log_selinux_context();
 +#endif
 +    
     for (lr = ap_listeners; lr; lr = lr->next) {
         char *s = dump_listener(lr, ptemp);
--- a/httpd.spec
+++ b/httpd.spec
@ -24,7 +24,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.54
-Release: 8%{?dist}
+Release: 9%{?dist}
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
@ -86,7 +86,7 @@ Patch22: httpd-2.4.43-mod_systemd.patch
 Patch23: httpd-2.4.53-export.patch
 Patch24: httpd-2.4.43-corelimit.patch
 Patch25: httpd-2.4.54-selinux.patch
-Patch26: httpd-2.4.43-gettid.patch
+Patch26: httpd-2.4.54-gettid.patch
 Patch27: httpd-2.4.54-icons.patch
 Patch30: httpd-2.4.43-cachehardmax.patch
 Patch34: httpd-2.4.43-socket-activation.patch
@ -150,7 +150,7 @@ The httpd-core package contains essential httpd binaries.
 %package devel
 Summary: Development interfaces for the Apache HTTP Server
 Requires: apr-devel, apr-util-devel, pkgconfig, libtool
-Requires: httpd-core = %{version}-%{release}
+Requires: httpd-core = 0:%{version}-%{release}
 %description devel
 The httpd-devel package contains the APXS binary and other files
@ -254,7 +254,6 @@ written in the Lua programming language.
 %patch22 -p1 -b .mod_systemd
 %patch23 -p1 -b .export
 %patch24 -p1 -b .corelimit
 %patch25 -p1 -b .selinux
 %patch26 -p1 -b .gettid
 %patch27 -p1 -b .icons
 %patch30 -p1 -b .cachehardmax
@ -266,6 +265,7 @@ written in the Lua programming language.
 %patch42 -p1 -b .r1828172+
 %patch45 -p1 -b .logjournal
 %patch46 -p1 -b .separatesystemd
 %patch25 -p1 -b .selinux
 %patch60 -p1 -b .enable-sslv3
 %patch61 -p1 -b .r1878890
@ -384,6 +384,13 @@ export LYNX_PATH=/usr/bin/links
        --disable-http2 \
        --disable-md \
        $*
 if grep -q ac_cv_have_threadsafe_pollset=no config.log; then
   cat config.log
   : Failed to find thread-safe APR.
   exit 1
 fi
 %make_build
 %install
@ -840,6 +847,9 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd
 %changelog
 * Mon Dec 19 2022 Joe Orton <jorton@redhat.com> - 2.4.54-9
 - move SELinux context logging to mod_systemd
 * Mon Dec 19 2022 Joe Orton <jorton@redhat.com> - 2.4.54-8
 - define _httpd_statedir macro