June 2014 - mod_cluster-issues - Jboss List Archives

[JBoss JIRA] (MODCLUSTER-211) SE Linux in RHEL 6 does not support mod_cluster in the context of HTTPD

by Radoslav Husar (JIRA)

[ https://issues.jboss.org/browse/MODCLUSTER-211?page=com.atlassian.jira.pl... ] Radoslav Husar commented on MODCLUSTER-211: ------------------------------------------- Thanks, that's what I was looking for. Can you also confirm that this is also not a problem for mod_cluster master (or 1.3.0.Final) on httpd 2.4 on Fedora 20/RHEL7? > SE Linux in RHEL 6 does not support mod_cluster in the context of HTTPD > ----------------------------------------------------------------------- > > Key: MODCLUSTER-211 > URL: https://issues.jboss.org/browse/MODCLUSTER-211 > Project: mod_cluster > Issue Type: Feature Request > Security Level: Public(Everyone can see) > Affects Versions: 1.0.4.GA > Environment: Apache 2.2.15 in RHEL 6 with mod_cluster in EAP > Reporter: Jim Tyrrell > Assignee: Michal Babacek > Fix For: 1.2.6.Final > > > When trying to run mod_cluster module inside of Apache I need to create a custom SE Linux policy. This should not need to be done as RHEL should ship the correctly enabled SE Linux policy, although in talking with my resident RHEL expert, the error messaging is that mod_cluster is using write instead of append as the existing policy does. I will cross post this in BZ for the SE Linux team, as I am not sure where changes need to be made, I will update this ticket with that ticket number. > The create SE Linux TE file looks like this: > module jbosshttpd 1.0; > require { > type httpd_log_t; > type httpd_t; > type port_t; > type soundd_port_t; > class tcp_socket name_bind; > class file write; > class dir remove_name; > class udp_socket name_bind; > } > #============= httpd_t ============== > allow httpd_t httpd_log_t:dir remove_name; > allow httpd_t httpd_log_t:file write; > #!!!! This avc can be allowed using the boolean 'allow_ypbind' > allow httpd_t port_t:udp_socket name_bind; > allow httpd_t soundd_port_t:tcp_socket name_bind; -- This message was sent by Atlassian JIRA (v6.2.6#6264)

10 years, 8 months

1
0
0 / 0

[JBoss JIRA] (MODCLUSTER-211) SE Linux in RHEL 6 does not support mod_cluster in the context of HTTPD

by Michal Babacek (JIRA)

[ https://issues.jboss.org/browse/MODCLUSTER-211?page=com.atlassian.jira.pl... ] Michal Babacek closed MODCLUSTER-211. ------------------------------------- > SE Linux in RHEL 6 does not support mod_cluster in the context of HTTPD > ----------------------------------------------------------------------- > > Key: MODCLUSTER-211 > URL: https://issues.jboss.org/browse/MODCLUSTER-211 > Project: mod_cluster > Issue Type: Feature Request > Security Level: Public(Everyone can see) > Affects Versions: 1.0.4.GA > Environment: Apache 2.2.15 in RHEL 6 with mod_cluster in EAP > Reporter: Jim Tyrrell > Assignee: Michal Babacek > Fix For: 1.2.6.Final > > > When trying to run mod_cluster module inside of Apache I need to create a custom SE Linux policy. This should not need to be done as RHEL should ship the correctly enabled SE Linux policy, although in talking with my resident RHEL expert, the error messaging is that mod_cluster is using write instead of append as the existing policy does. I will cross post this in BZ for the SE Linux team, as I am not sure where changes need to be made, I will update this ticket with that ticket number. > The create SE Linux TE file looks like this: > module jbosshttpd 1.0; > require { > type httpd_log_t; > type httpd_t; > type port_t; > type soundd_port_t; > class tcp_socket name_bind; > class file write; > class dir remove_name; > class udp_socket name_bind; > } > #============= httpd_t ============== > allow httpd_t httpd_log_t:dir remove_name; > allow httpd_t httpd_log_t:file write; > #!!!! This avc can be allowed using the boolean 'allow_ypbind' > allow httpd_t port_t:udp_socket name_bind; > allow httpd_t soundd_port_t:tcp_socket name_bind; -- This message was sent by Atlassian JIRA (v6.2.6#6264)

10 years, 8 months

1
0
0 / 0

[JBoss JIRA] (MODCLUSTER-211) SE Linux in RHEL 6 does not support mod_cluster in the context of HTTPD

by Michal Babacek (JIRA)

[ https://issues.jboss.org/browse/MODCLUSTER-211?page=com.atlassian.jira.pl... ] Michal Babacek resolved MODCLUSTER-211. --------------------------------------- Resolution: Done > SE Linux in RHEL 6 does not support mod_cluster in the context of HTTPD > ----------------------------------------------------------------------- > > Key: MODCLUSTER-211 > URL: https://issues.jboss.org/browse/MODCLUSTER-211 > Project: mod_cluster > Issue Type: Feature Request > Security Level: Public(Everyone can see) > Affects Versions: 1.0.4.GA > Environment: Apache 2.2.15 in RHEL 6 with mod_cluster in EAP > Reporter: Jim Tyrrell > Assignee: Michal Babacek > Fix For: 1.2.6.Final > > > When trying to run mod_cluster module inside of Apache I need to create a custom SE Linux policy. This should not need to be done as RHEL should ship the correctly enabled SE Linux policy, although in talking with my resident RHEL expert, the error messaging is that mod_cluster is using write instead of append as the existing policy does. I will cross post this in BZ for the SE Linux team, as I am not sure where changes need to be made, I will update this ticket with that ticket number. > The create SE Linux TE file looks like this: > module jbosshttpd 1.0; > require { > type httpd_log_t; > type httpd_t; > type port_t; > type soundd_port_t; > class tcp_socket name_bind; > class file write; > class dir remove_name; > class udp_socket name_bind; > } > #============= httpd_t ============== > allow httpd_t httpd_log_t:dir remove_name; > allow httpd_t httpd_log_t:file write; > #!!!! This avc can be allowed using the boolean 'allow_ypbind' > allow httpd_t port_t:udp_socket name_bind; > allow httpd_t soundd_port_t:tcp_socket name_bind; -- This message was sent by Atlassian JIRA (v6.2.6#6264)

10 years, 8 months

1
0
0 / 0

[JBoss JIRA] (MODCLUSTER-211) SE Linux in RHEL 6 does not support mod_cluster in the context of HTTPD

by Michal Babacek (JIRA)

[ https://issues.jboss.org/browse/MODCLUSTER-211?page=com.atlassian.jira.pl... ] Michal Babacek commented on MODCLUSTER-211: ------------------------------------------- The mod_cluster-native RPM test suite checks for AVC Denials log records automatically these days. The problem has been fixed quite some time ago, from what I can see in the archives, EAP 6.2 with mod_cluster 1.2.6 is O.K. for sure (and it looks like 1.2.4 is fine as well). Please, mind that I'm talking about the product JBoss EAP and its RPM distribution, since you haven't specified where did your RPMs come from and yet it looks like you aren't running Fedora. TL;DR: It's O.K. now, unless you are using some really obsolete packages. > SE Linux in RHEL 6 does not support mod_cluster in the context of HTTPD > ----------------------------------------------------------------------- > > Key: MODCLUSTER-211 > URL: https://issues.jboss.org/browse/MODCLUSTER-211 > Project: mod_cluster > Issue Type: Feature Request > Security Level: Public(Everyone can see) > Affects Versions: 1.0.4.GA > Environment: Apache 2.2.15 in RHEL 6 with mod_cluster in EAP > Reporter: Jim Tyrrell > Assignee: Michal Babacek > Fix For: 1.2.6.Final > > > When trying to run mod_cluster module inside of Apache I need to create a custom SE Linux policy. This should not need to be done as RHEL should ship the correctly enabled SE Linux policy, although in talking with my resident RHEL expert, the error messaging is that mod_cluster is using write instead of append as the existing policy does. I will cross post this in BZ for the SE Linux team, as I am not sure where changes need to be made, I will update this ticket with that ticket number. > The create SE Linux TE file looks like this: > module jbosshttpd 1.0; > require { > type httpd_log_t; > type httpd_t; > type port_t; > type soundd_port_t; > class tcp_socket name_bind; > class file write; > class dir remove_name; > class udp_socket name_bind; > } > #============= httpd_t ============== > allow httpd_t httpd_log_t:dir remove_name; > allow httpd_t httpd_log_t:file write; > #!!!! This avc can be allowed using the boolean 'allow_ypbind' > allow httpd_t port_t:udp_socket name_bind; > allow httpd_t soundd_port_t:tcp_socket name_bind; -- This message was sent by Atlassian JIRA (v6.2.6#6264)

10 years, 8 months

1
0
0 / 0

[JBoss JIRA] (MODCLUSTER-211) SE Linux in RHEL 6 does not support mod_cluster in the context of HTTPD

by Michal Babacek (JIRA)

[ https://issues.jboss.org/browse/MODCLUSTER-211?page=com.atlassian.jira.pl... ] Michal Babacek reassigned MODCLUSTER-211: ----------------------------------------- Assignee: Michal Babacek (was: Jim Tyrrell) > SE Linux in RHEL 6 does not support mod_cluster in the context of HTTPD > ----------------------------------------------------------------------- > > Key: MODCLUSTER-211 > URL: https://issues.jboss.org/browse/MODCLUSTER-211 > Project: mod_cluster > Issue Type: Feature Request > Security Level: Public(Everyone can see) > Affects Versions: 1.0.4.GA > Environment: Apache 2.2.15 in RHEL 6 with mod_cluster in EAP > Reporter: Jim Tyrrell > Assignee: Michal Babacek > Fix For: 1.2.6.Final > > > When trying to run mod_cluster module inside of Apache I need to create a custom SE Linux policy. This should not need to be done as RHEL should ship the correctly enabled SE Linux policy, although in talking with my resident RHEL expert, the error messaging is that mod_cluster is using write instead of append as the existing policy does. I will cross post this in BZ for the SE Linux team, as I am not sure where changes need to be made, I will update this ticket with that ticket number. > The create SE Linux TE file looks like this: > module jbosshttpd 1.0; > require { > type httpd_log_t; > type httpd_t; > type port_t; > type soundd_port_t; > class tcp_socket name_bind; > class file write; > class dir remove_name; > class udp_socket name_bind; > } > #============= httpd_t ============== > allow httpd_t httpd_log_t:dir remove_name; > allow httpd_t httpd_log_t:file write; > #!!!! This avc can be allowed using the boolean 'allow_ypbind' > allow httpd_t port_t:udp_socket name_bind; > allow httpd_t soundd_port_t:tcp_socket name_bind; -- This message was sent by Atlassian JIRA (v6.2.6#6264)

10 years, 8 months

1
0
0 / 0

[JBoss JIRA] (MODCLUSTER-211) SE Linux in RHEL 6 does not support mod_cluster in the context of HTTPD

by Michal Babacek (JIRA)

[ https://issues.jboss.org/browse/MODCLUSTER-211?page=com.atlassian.jira.pl... ] Michal Babacek updated MODCLUSTER-211: -------------------------------------- Fix Version/s: 1.2.6.Final > SE Linux in RHEL 6 does not support mod_cluster in the context of HTTPD > ----------------------------------------------------------------------- > > Key: MODCLUSTER-211 > URL: https://issues.jboss.org/browse/MODCLUSTER-211 > Project: mod_cluster > Issue Type: Feature Request > Security Level: Public(Everyone can see) > Affects Versions: 1.0.4.GA > Environment: Apache 2.2.15 in RHEL 6 with mod_cluster in EAP > Reporter: Jim Tyrrell > Assignee: Michal Babacek > Fix For: 1.2.6.Final > > > When trying to run mod_cluster module inside of Apache I need to create a custom SE Linux policy. This should not need to be done as RHEL should ship the correctly enabled SE Linux policy, although in talking with my resident RHEL expert, the error messaging is that mod_cluster is using write instead of append as the existing policy does. I will cross post this in BZ for the SE Linux team, as I am not sure where changes need to be made, I will update this ticket with that ticket number. > The create SE Linux TE file looks like this: > module jbosshttpd 1.0; > require { > type httpd_log_t; > type httpd_t; > type port_t; > type soundd_port_t; > class tcp_socket name_bind; > class file write; > class dir remove_name; > class udp_socket name_bind; > } > #============= httpd_t ============== > allow httpd_t httpd_log_t:dir remove_name; > allow httpd_t httpd_log_t:file write; > #!!!! This avc can be allowed using the boolean 'allow_ypbind' > allow httpd_t port_t:udp_socket name_bind; > allow httpd_t soundd_port_t:tcp_socket name_bind; -- This message was sent by Atlassian JIRA (v6.2.6#6264)

10 years, 8 months

1
0
0 / 0

[JBoss JIRA] (MODCLUSTER-211) SE Linux in RHEL 6 does not support mod_cluster in the context of HTTPD

by Jim Tyrrell (JIRA)

[ https://issues.jboss.org/browse/MODCLUSTER-211?page=com.atlassian.jira.pl... ] Jim Tyrrell commented on MODCLUSTER-211: ---------------------------------------- I was just a reporter of this issue, I would think a test case in a test plan would need to be created to verify this is either corrected or not. Do you agree? > SE Linux in RHEL 6 does not support mod_cluster in the context of HTTPD > ----------------------------------------------------------------------- > > Key: MODCLUSTER-211 > URL: https://issues.jboss.org/browse/MODCLUSTER-211 > Project: mod_cluster > Issue Type: Feature Request > Security Level: Public(Everyone can see) > Affects Versions: 1.0.4.GA > Environment: Apache 2.2.15 in RHEL 6 with mod_cluster in EAP > Reporter: Jim Tyrrell > Assignee: Jim Tyrrell > > When trying to run mod_cluster module inside of Apache I need to create a custom SE Linux policy. This should not need to be done as RHEL should ship the correctly enabled SE Linux policy, although in talking with my resident RHEL expert, the error messaging is that mod_cluster is using write instead of append as the existing policy does. I will cross post this in BZ for the SE Linux team, as I am not sure where changes need to be made, I will update this ticket with that ticket number. > The create SE Linux TE file looks like this: > module jbosshttpd 1.0; > require { > type httpd_log_t; > type httpd_t; > type port_t; > type soundd_port_t; > class tcp_socket name_bind; > class file write; > class dir remove_name; > class udp_socket name_bind; > } > #============= httpd_t ============== > allow httpd_t httpd_log_t:dir remove_name; > allow httpd_t httpd_log_t:file write; > #!!!! This avc can be allowed using the boolean 'allow_ypbind' > allow httpd_t port_t:udp_socket name_bind; > allow httpd_t soundd_port_t:tcp_socket name_bind; -- This message was sent by Atlassian JIRA (v6.2.6#6264)

10 years, 8 months

1
0
0 / 0

[JBoss JIRA] (MODCLUSTER-420) Consider dropping support for very old versions of httpd

by Radoslav Husar (JIRA)

[ https://issues.jboss.org/browse/MODCLUSTER-420?page=com.atlassian.jira.pl... ] Radoslav Husar reassigned MODCLUSTER-420: ----------------------------------------- Assignee: Radoslav Husar (was: Jean-Frederic Clere) Great, then we are better off dropping! > Consider dropping support for very old versions of httpd > -------------------------------------------------------- > > Key: MODCLUSTER-420 > URL: https://issues.jboss.org/browse/MODCLUSTER-420 > Project: mod_cluster > Issue Type: Feature Request > Security Level: Public(Everyone can see) > Components: Native (httpd modules) > Affects Versions: 1.3.0.Final > Reporter: Radoslav Husar > Assignee: Radoslav Husar > > The EWS is built on 2.2.24 and further on when productizing modcluster, this version might even increase. Lets consider dropping older versions prior to this one. > If the decision is made, you can assign to me to remove the support. -- This message was sent by Atlassian JIRA (v6.2.6#6264)

10 years, 8 months

1
0
0 / 0

[JBoss JIRA] (MODCLUSTER-420) Consider dropping support for very old versions of httpd

by Jean-Frederic Clere (JIRA)

[ https://issues.jboss.org/browse/MODCLUSTER-420?page=com.atlassian.jira.pl... ] Jean-Frederic Clere commented on MODCLUSTER-420: ------------------------------------------------ EWS 3.0.0 and EAP7 should use httpd-2.4.x > Consider dropping support for very old versions of httpd > -------------------------------------------------------- > > Key: MODCLUSTER-420 > URL: https://issues.jboss.org/browse/MODCLUSTER-420 > Project: mod_cluster > Issue Type: Feature Request > Security Level: Public(Everyone can see) > Components: Native (httpd modules) > Affects Versions: 1.3.0.Final > Reporter: Radoslav Husar > Assignee: Jean-Frederic Clere > > The EWS is built on 2.2.24 and further on when productizing modcluster, this version might even increase. Lets consider dropping older versions prior to this one. > If the decision is made, you can assign to me to remove the support. -- This message was sent by Atlassian JIRA (v6.2.6#6264)

10 years, 8 months

1
0
0 / 0

[JBoss JIRA] (MODCLUSTER-420) Consider dropping support for very old versions of httpd

by Radoslav Husar (JIRA)

[ https://issues.jboss.org/browse/MODCLUSTER-420?page=com.atlassian.jira.pl... ] Radoslav Husar commented on MODCLUSTER-420: ------------------------------------------- I think we should align with EAP7 and EWS version that is going to be release then. Do we know which httpd is it going to be based on? > Consider dropping support for very old versions of httpd > -------------------------------------------------------- > > Key: MODCLUSTER-420 > URL: https://issues.jboss.org/browse/MODCLUSTER-420 > Project: mod_cluster > Issue Type: Feature Request > Security Level: Public(Everyone can see) > Components: Native (httpd modules) > Affects Versions: 1.3.0.Final > Reporter: Radoslav Husar > Assignee: Jean-Frederic Clere > > The EWS is built on 2.2.24 and further on when productizing modcluster, this version might even increase. Lets consider dropping older versions prior to this one. > If the decision is made, you can assign to me to remove the support. -- This message was sent by Atlassian JIRA (v6.2.6#6264)

10 years, 8 months

1
0
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

mod_cluster-issues June 2014