- move SELinux context logging to mod_systemd from httpd binary

This commit is contained in:
Joe Orton 2022-06-17 12:21:04 +01:00
parent b0e7cd798e
commit 8c54e332bb
3 changed files with 71 additions and 62 deletions

View File

@ -14,9 +14,9 @@ Subject: [PATCH] Check and use gettid() directly with glibc 2.30+.
diff --git a/configure.in b/configure.in
index 423d58d4b9a..60cbf7b7f81 100644
--- httpd-2.4.43/configure.in.gettid
+++ httpd-2.4.43/configure.in
@@ -478,7 +500,8 @@
--- httpd-2.4.54/configure.in.gettid
+++ httpd-2.4.54/configure.in
@@ -502,22 +502,26 @@
timegm \
getpgid \
fopen64 \
@ -26,9 +26,7 @@ index 423d58d4b9a..60cbf7b7f81 100644
)
dnl confirm that a void pointer is large enough to store a long integer
@@ -489,16 +512,19 @@
APR_ADDTO(HTTPD_LIBS, [-lselinux])
])
APACHE_CHECK_VOID_PTR_LEN
-AC_CACHE_CHECK([for gettid()], ac_cv_gettid,
+if test $ac_cv_func_gettid = no; then
@ -50,8 +48,8 @@ index 423d58d4b9a..60cbf7b7f81 100644
fi
dnl ## Check for the tm_gmtoff field in struct tm to get the timezone diffs
--- httpd-2.4.43/server/log.c.gettid
+++ httpd-2.4.43/server/log.c
--- httpd-2.4.54/server/log.c.gettid
+++ httpd-2.4.54/server/log.c
@@ -55,7 +55,7 @@
#include "ap_mpm.h"
#include "ap_listen.h"
@ -61,7 +59,7 @@ index 423d58d4b9a..60cbf7b7f81 100644
#include <sys/syscall.h>
#include <sys/types.h>
#endif
@@ -625,14 +625,18 @@
@@ -627,14 +627,18 @@
#if APR_HAS_THREADS
int result;
#endif
@ -82,7 +80,7 @@ index 423d58d4b9a..60cbf7b7f81 100644
#if APR_HAS_THREADS
if (ap_mpm_query(AP_MPMQ_IS_THREADED, &result) == APR_SUCCESS
&& result != AP_MPMQ_NOT_SUPPORTED)
@@ -966,7 +970,7 @@
@@ -968,7 +972,7 @@
#if APR_HAS_THREADS
field_start = len;
len += cpystrn(buf + len, ":tid ", buflen - len);

View File

@ -1,24 +1,22 @@
diff --git a/configure.in b/configure.in
index 74015ca..8c0ee10 100644
--- a/configure.in
+++ b/configure.in
@@ -508,6 +508,11 @@ getloadavg
dnl confirm that a void pointer is large enough to store a long integer
APACHE_CHECK_VOID_PTR_LEN
+AC_CHECK_LIB(selinux, is_selinux_enabled, [
+ AC_DEFINE(HAVE_SELINUX, 1, [Defined if SELinux is supported])
+ APR_ADDTO(HTTPD_LIBS, [-lselinux])
+])
--- httpd-2.4.54/modules/arch/unix/config5.m4.selinux
+++ httpd-2.4.54/modules/arch/unix/config5.m4
@@ -23,6 +23,11 @@
AC_MSG_WARN([Your system does not support systemd.])
enable_systemd="no"
else
+ AC_CHECK_LIB(selinux, is_selinux_enabled, [
+ AC_DEFINE(HAVE_SELINUX, 1, [Defined if SELinux is supported])
+ APR_ADDTO(MOD_SYSTEMD_LDADD, [-lselinux])
+ ])
+
AC_CACHE_CHECK([for gettid()], ac_cv_gettid,
[AC_TRY_RUN(#define _GNU_SOURCE
#include <unistd.h>
diff --git a/server/core.c b/server/core.c
index a6fa2fb..cf4cba4 100644
--- a/server/core.c
+++ b/server/core.c
@@ -65,6 +65,10 @@
APR_ADDTO(MOD_SYSTEMD_LDADD, [$SYSTEMD_LIBS])
fi
])
--- httpd-2.4.54/modules/arch/unix/mod_systemd.c.selinux
+++ httpd-2.4.54/modules/arch/unix/mod_systemd.c
@@ -35,6 +35,10 @@
#include <unistd.h>
#endif
@ -26,35 +24,38 @@ index a6fa2fb..cf4cba4 100644
+#include <selinux/selinux.h>
+#endif
+
/* LimitRequestBody handling */
#define AP_LIMIT_REQ_BODY_UNSET ((apr_off_t) -1)
#define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 1<<30) /* 1GB */
@@ -5150,6 +5154,28 @@ static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *pte
}
#endif
APR_DECLARE_OPTIONAL_FN(int,
ap_find_systemd_socket, (process_rec *, apr_port_t));
+#ifdef HAVE_SELINUX
+ {
+ static int already_warned = 0;
+ int is_enabled = is_selinux_enabled() > 0;
+
+ if (is_enabled && !already_warned) {
+ security_context_t con;
+
+ if (getcon(&con) == 0) {
+
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
+ "SELinux policy enabled; "
+ "httpd running as context %s", con);
+
+ already_warned = 1;
+
+ freecon(con);
+ }
+ }
+ }
+#endif
+
return OK;
@@ -70,6 +74,20 @@
return apr_psprintf(p, "%s port %u", addr, sa->port);
}
+#ifdef HAVE_SELINUX
+static void log_selinux_context(void)
+{
+ char *con;
+
+ if (is_selinux_enabled() && getcon(&con) == 0) {
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
+ "SELinux policy enabled; "
+ "httpd running as context %s", con);
+ freecon(con);
+ }
+}
+#endif
+
/* Report the service is ready in post_config, which could be during
* startup or after a reload. The server could still hit a fatal
* startup error after this point during ap_run_mpm(), so this is
@@ -87,6 +105,10 @@
if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG)
return OK;
+#ifdef HAVE_SELINUX
+ log_selinux_context();
+#endif
+
for (lr = ap_listeners; lr; lr = lr->next) {
char *s = dump_listener(lr, ptemp);

View File

@ -24,7 +24,7 @@
Summary: Apache HTTP Server
Name: httpd
Version: 2.4.54
Release: 8%{?dist}
Release: 9%{?dist}
URL: https://httpd.apache.org/
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
@ -86,7 +86,7 @@ Patch22: httpd-2.4.43-mod_systemd.patch
Patch23: httpd-2.4.53-export.patch
Patch24: httpd-2.4.43-corelimit.patch
Patch25: httpd-2.4.54-selinux.patch
Patch26: httpd-2.4.43-gettid.patch
Patch26: httpd-2.4.54-gettid.patch
Patch27: httpd-2.4.54-icons.patch
Patch30: httpd-2.4.43-cachehardmax.patch
Patch34: httpd-2.4.43-socket-activation.patch
@ -150,7 +150,7 @@ The httpd-core package contains essential httpd binaries.
%package devel
Summary: Development interfaces for the Apache HTTP Server
Requires: apr-devel, apr-util-devel, pkgconfig, libtool
Requires: httpd-core = %{version}-%{release}
Requires: httpd-core = 0:%{version}-%{release}
%description devel
The httpd-devel package contains the APXS binary and other files
@ -254,7 +254,6 @@ written in the Lua programming language.
%patch22 -p1 -b .mod_systemd
%patch23 -p1 -b .export
%patch24 -p1 -b .corelimit
%patch25 -p1 -b .selinux
%patch26 -p1 -b .gettid
%patch27 -p1 -b .icons
%patch30 -p1 -b .cachehardmax
@ -266,6 +265,7 @@ written in the Lua programming language.
%patch42 -p1 -b .r1828172+
%patch45 -p1 -b .logjournal
%patch46 -p1 -b .separatesystemd
%patch25 -p1 -b .selinux
%patch60 -p1 -b .enable-sslv3
%patch61 -p1 -b .r1878890
@ -384,6 +384,13 @@ export LYNX_PATH=/usr/bin/links
--disable-http2 \
--disable-md \
$*
if grep -q ac_cv_have_threadsafe_pollset=no config.log; then
cat config.log
: Failed to find thread-safe APR.
exit 1
fi
%make_build
%install
@ -840,6 +847,9 @@ exit $rv
%{_rpmconfigdir}/macros.d/macros.httpd
%changelog
* Mon Dec 19 2022 Joe Orton <jorton@redhat.com> - 2.4.54-9
- move SELinux context logging to mod_systemd
* Mon Dec 19 2022 Joe Orton <jorton@redhat.com> - 2.4.54-8
- define _httpd_statedir macro