Apache2 not working with selinux policy minimum

wnereiz · August 9, 2017, 5:00am

I have set up an apache2 server on Leap 42.3, then enabled selinux with “selinux-policy-minimum-20140730-98.1”
When apache2starting, there is a directory “/etc/apache2/sysconfig.d” created automatically. I have set the context manually with “semanage fcontext”. So the status now is:


# ls -lZ /etc/apache2/

....
drwxr-xr-x. 2 root root system_u:object_r:httpd_config_t:s0  4096 Aug  9 10:03 sysconfig.d
....

# ls -lZ /etc/apache2/sysconfig.d/

-rw-r--r--. 1 root root system_u:object_r:httpd_config_t:s0  238 Aug  9 10:10 global.conf
-rw-r--r--. 1 root root system_u:object_r:httpd_config_t:s0   92 Aug  9 10:10 include.conf
-rw-r--r--. 1 root root system_u:object_r:httpd_config_t:s0 1704 Aug  9 10:10 loadmodule.conf

Start apache2 with “systemctl start apache2” and failed.


# journalctl -xe

Aug 09 10:26:08 linux-9wtz systemd[1]: Starting Cleanup of Temporary Directories...
-- Subject: Unit systemd-tmpfiles-clean.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit systemd-tmpfiles-clean.service has begun starting up.
Aug 09 10:26:08 linux-9wtz systemd[1]: Started Cleanup of Temporary Directories.
-- Subject: Unit systemd-tmpfiles-clean.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit systemd-tmpfiles-clean.service has finished starting up.
--
-- The start-up result is done.
Aug 09 10:29:15 linux-9wtz systemd[1]: Starting The Apache Webserver...
-- Subject: Unit apache2.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit apache2.service has begun starting up.
Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 90: /etc/apache2/sysconfig.d//global.conf: Permission denied
Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 90: /etc/apache2/sysconfig.d//include.conf: Permission denied
Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 90: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 94: /etc/apache2/sysconfig.d//global.conf: Permission denied
Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 124: /etc/apache2/sysconfig.d//global.conf: Permission denied
Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 128: /etc/apache2/sysconfig.d//global.conf: Permission denied
Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 132: /etc/apache2/sysconfig.d//global.conf: Permission denied
Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 136: /etc/apache2/sysconfig.d//global.conf: Permission denied
Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 140: /etc/apache2/sysconfig.d//global.conf: Permission denied
Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
Aug 09 10:29:16 linux-9wtz start_apache2[1967]: AH00557: httpd-prefork: apr_sockaddr_info_get() failed for linux-9wtz
Aug 09 10:29:16 linux-9wtz start_apache2[1967]: AH00558: httpd-prefork: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
Aug 09 10:29:16 linux-9wtz start_apache2[1967]: (13)Permission denied: AH00091: httpd-prefork: could not open error log file /var/log/apache2/error_log.
Aug 09 10:29:16 linux-9wtz start_apache2[1967]: AH00015: Unable to open logs
Aug 09 10:29:16 linux-9wtz systemd[1]: apache2.service: Main process exited, code=exited, status=1/FAILURE
Aug 09 10:29:16 linux-9wtz start_apache2[1976]: /usr/sbin/start_apache2: line 90: /etc/apache2/sysconfig.d//global.conf: Permission denied
Aug 09 10:29:16 linux-9wtz start_apache2[1976]: /usr/sbin/start_apache2: line 90: /etc/apache2/sysconfig.d//include.conf: Permission denied
Aug 09 10:29:16 linux-9wtz start_apache2[1976]: /usr/sbin/start_apache2: line 90: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
Aug 09 10:29:16 linux-9wtz start_apache2[1976]: /usr/sbin/start_apache2: line 94: /etc/apache2/sysconfig.d//global.conf: Permission denied
Aug 09 10:29:16 linux-9wtz start_apache2[1976]: /usr/sbin/start_apache2: line 124: /etc/apache2/sysconfig.d//global.conf: Permission denied
Aug 09 10:29:16 linux-9wtz start_apache2[1976]: /usr/sbin/start_apache2: line 128: /etc/apache2/sysconfig.d//global.conf: Permission denied
Aug 09 10:29:16 linux-9wtz start_apache2[1976]: /usr/sbin/start_apache2: line 132: /etc/apache2/sysconfig.d//global.conf: Permission denied
Aug 09 10:29:16 linux-9wtz start_apache2[1976]: /usr/sbin/start_apache2: line 136: /etc/apache2/sysconfig.d//global.conf: Permission denied
Aug 09 10:29:16 linux-9wtz start_apache2[1976]: /usr/sbin/start_apache2: line 140: /etc/apache2/sysconfig.d//global.conf: Permission denied
Aug 09 10:29:16 linux-9wtz start_apache2[1976]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
Aug 09 10:29:16 linux-9wtz start_apache2[1976]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
Aug 09 10:29:16 linux-9wtz start_apache2[1976]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
Aug 09 10:29:16 linux-9wtz start_apache2[1976]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
Aug 09 10:29:16 linux-9wtz start_apache2[1976]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
Aug 09 10:29:16 linux-9wtz start_apache2[1976]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
Aug 09 10:29:16 linux-9wtz start_apache2[1976]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
Aug 09 10:29:16 linux-9wtz start_apache2[1976]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
Aug 09 10:29:16 linux-9wtz start_apache2[1976]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
Aug 09 10:29:16 linux-9wtz start_apache2[1976]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
Aug 09 10:29:16 linux-9wtz start_apache2[1976]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
Aug 09 10:29:16 linux-9wtz start_apache2[1976]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
Aug 09 10:29:16 linux-9wtz start_apache2[1976]: AH00557: httpd-prefork: apr_sockaddr_info_get() failed for linux-9wtz
Aug 09 10:29:16 linux-9wtz start_apache2[1976]: AH00558: httpd-prefork: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
Aug 09 10:29:16 linux-9wtz start_apache2[1976]: httpd (no pid file) not running
Aug 09 10:29:16 linux-9wtz systemd[1]: Failed to start The Apache Webserver.
-- Subject: Unit apache2.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit apache2.service has failed.
--
-- The result is failed.
Aug 09 10:29:16 linux-9wtz systemd[1]: apache2.service: Unit entered failed state.
Aug 09 10:29:16 linux-9wtz systemd[1]: apache2.service: Failed with result 'exit-code'.

SELinux log: /var/log/audit/audit.log****](https://paste.opensuse.org/7531318)
Could somebody give some tips? Thanks!

Miuku · August 9, 2017, 6:17am

Stop using SELinux and use AppArmor which is actually supported on openSUSE, has the tools and pre-made configurations ready you can adjust and allows doing exactly the same thing as SELinux except without the retarded configuration.

wnereiz · August 9, 2017, 6:33am

Yes, I know. But I was required to do some tests with SELinux, and I have no choice

Miuku · August 9, 2017, 6:36am

Who requires you to do it and for what reason?

If you want to use SELinux, you should use CentOS and/or RHEL/Fedora where it’s supported properly and has guides for it.

tsu2 · August 10, 2017, 12:47am

First,
Make sure you’ve properly switched from AppArmor to SElinux.
Then, make sure you’ve configured the proper mode you want to run. As you might imagine when first setting up a system you might want to configure “permissive” and only later switch to “enforcing.” This is what is preventing your apache service from starting.

The 42.3 documentation looks good, covering same material I’ve read for previous versions of openSUSE.
It also includes the very important “Troubleshooting” section at the end which describes the procedure for addressing your issues.

https://doc.opensuse.org/documentation/leap/security/html/book.security/cha.selinux.html

If you have specific questions, post with detail… eg the steps you took to set up, the audit logfile and any Troubleshooting you attempted.

With a bit of work, I’d expect you should be successful.

TSU

wnereiz · August 10, 2017, 4:40am

Solved! Thank you for the links of the document. It is really helpful.
I checked “Troubleshooting” and found I didn’t generated loadable module.

#audit2why -i /var/log/audit/audit.log

...
type=AVC msg=audit(1502330706.498:468): avc:  denied  { append } for  pid=4025 comm="start_apache2" name="loadmodule.conf" dev="vda2" ino=1576484 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=0

        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.
...

Use audit2allow to generate from audit.log

# audit2allow -i /var/log/audit/audit.log -M apachemodule

Then load it with semodule

# semodule -i apachemodule.pp

# restorecon -Rp /

Then start apache2

# systemctl start apache2

It works now!

tsu2 · August 10, 2017, 5:24am

Cool!
And, of course many projects specify SElinux, possibly because whoever wrote the specifications never heard of AppArmor.

TSU