Author: jorton
Date: Fri Mar 15 15:26:11 2024
New Revision: 1916344
URL: http://svn.apache.org/viewvc?rev=1916344&view=rev
Log:
mod_systemd: if SELinux is available and enabled, log the SELinux
context at startup, since this may vary when httpd is started via
systemd vs being started directly.
* modules/arch/unix/mod_systemd.c (systemd_post_config):
Do nothing for the pre-config iteration.
Log the SELinux context if available.
* modules/arch/unix/config5.m4: Detect libselinux.
Have at least one CI job build mod_systemd.
Github: closes #422
Added:
httpd/httpd/trunk/changes-entries/systemd-selinux.patch
Modified:
httpd/httpd/trunk/.github/workflows/linux.yml
httpd/httpd/trunk/modules/arch/unix/config5.m4
httpd/httpd/trunk/modules/arch/unix/mod_systemd.c
Modified: httpd/httpd/trunk/.github/workflows/linux.yml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/.github/workflows/linux.yml?rev=1916344&r1=1916343&r2=1916344&view=diff
==============================================================================
--- httpd/httpd/trunk/.github/workflows/linux.yml (original)
+++ httpd/httpd/trunk/.github/workflows/linux.yml Fri Mar 15 15:26:11 2024
@@ -246,7 +246,8 @@ jobs:
TEST_INSTALL=1
TEST_MOD_TLS=1
- name: Configured w/reduced exports
- config: --enable-reduced-exports --enable-maintainer-mode
+ config: --enable-reduced-exports --enable-maintainer-mode --enable-systemd
+ pkgs: libsystemd-dev
env: |
SKIP_TESTING=1
TEST_INSTALL=1
Added: httpd/httpd/trunk/changes-entries/systemd-selinux.patch
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/changes-entries/systemd-selinux.patch?rev=1916344&view=auto
==============================================================================
--- httpd/httpd/trunk/changes-entries/systemd-selinux.patch (added)
+++ httpd/httpd/trunk/changes-entries/systemd-selinux.patch Fri Mar 15 15:26:11 2024
@@ -0,0 +1,2 @@
+ *) mod_systemd: Log the SELinux context at startup if available and
+ enabled. [Joe Orton]
Modified: httpd/httpd/trunk/modules/arch/unix/config5.m4
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/arch/unix/config5.m4?rev=1916344&r1=1916343&r2=1916344&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/arch/unix/config5.m4 (original)
+++ httpd/httpd/trunk/modules/arch/unix/config5.m4 Fri Mar 15 15:26:11 2024
@@ -25,6 +25,11 @@ APACHE_MODULE(systemd, Systemd support,
AC_MSG_WARN([Your system does not support systemd.])
enable_systemd="no"
else
+ AC_CHECK_LIB(selinux, is_selinux_enabled, [
+ AC_DEFINE(HAVE_SELINUX, 1, [Defined if SELinux is supported])
+ APR_ADDTO(MOD_SYSTEMD_LDADD, [-lselinux])
+ ])
+
APR_ADDTO(MOD_SYSTEMD_LDADD, [$SYSTEMD_LIBS])
fi
])
Modified: httpd/httpd/trunk/modules/arch/unix/mod_systemd.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/arch/unix/mod_systemd.c?rev=1916344&r1=1916343&r2=1916344&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/arch/unix/mod_systemd.c (original)
+++ httpd/httpd/trunk/modules/arch/unix/mod_systemd.c Fri Mar 15 15:26:11 2024
@@ -29,6 +29,10 @@
#include "scoreboard.h"
#include "mpm_common.h"
+#ifdef HAVE_SELINUX
+#include <selinux/selinux.h>
+#endif
+
#include "systemd/sd-daemon.h"
#if APR_HAVE_UNISTD_H
@@ -45,6 +49,20 @@ static int systemd_pre_config(apr_pool_t
return OK;
}
+#ifdef HAVE_SELINUX
+static void log_selinux_context(void)
+{
+ char *con;
+
+ if (is_selinux_enabled() && getcon(&con) == 0) {
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
+ APLOGNO(10497) "SELinux is enabled; "
+ "httpd running as context %s", con);
+ freecon(con);
+ }
+}
+#endif
+
/* Report the service is ready in post_config, which could be during
* startup or after a reload. The server could still hit a fatal
* startup error after this point during ap_run_mpm(), so this is
@@ -52,9 +70,16 @@ static int systemd_pre_config(apr_pool_t
* the TCP ports so new connections will not be rejected. There will
* always be a possible async failure event simultaneous to the
* service reporting "ready", so this should be good enough. */
-static int systemd_post_config(apr_pool_t *p, apr_pool_t *plog,
+static int systemd_post_config(apr_pool_t *pconf, apr_pool_t *plog,
apr_pool_t *ptemp, server_rec *main_server)
{
+ if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG)
+ return OK;
+
+#ifdef HAVE_SELINUX
+ log_selinux_context();
+#endif
+
sd_notify(0, "READY=1\n"
"STATUS=Configuration loaded.\n");
return OK;
Date: Fri Mar 15 15:26:11 2024
New Revision: 1916344
URL: http://svn.apache.org/viewvc?rev=1916344&view=rev
Log:
mod_systemd: if SELinux is available and enabled, log the SELinux
context at startup, since this may vary when httpd is started via
systemd vs being started directly.
* modules/arch/unix/mod_systemd.c (systemd_post_config):
Do nothing for the pre-config iteration.
Log the SELinux context if available.
* modules/arch/unix/config5.m4: Detect libselinux.
Have at least one CI job build mod_systemd.
Github: closes #422
Added:
httpd/httpd/trunk/changes-entries/systemd-selinux.patch
Modified:
httpd/httpd/trunk/.github/workflows/linux.yml
httpd/httpd/trunk/modules/arch/unix/config5.m4
httpd/httpd/trunk/modules/arch/unix/mod_systemd.c
Modified: httpd/httpd/trunk/.github/workflows/linux.yml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/.github/workflows/linux.yml?rev=1916344&r1=1916343&r2=1916344&view=diff
==============================================================================
--- httpd/httpd/trunk/.github/workflows/linux.yml (original)
+++ httpd/httpd/trunk/.github/workflows/linux.yml Fri Mar 15 15:26:11 2024
@@ -246,7 +246,8 @@ jobs:
TEST_INSTALL=1
TEST_MOD_TLS=1
- name: Configured w/reduced exports
- config: --enable-reduced-exports --enable-maintainer-mode
+ config: --enable-reduced-exports --enable-maintainer-mode --enable-systemd
+ pkgs: libsystemd-dev
env: |
SKIP_TESTING=1
TEST_INSTALL=1
Added: httpd/httpd/trunk/changes-entries/systemd-selinux.patch
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/changes-entries/systemd-selinux.patch?rev=1916344&view=auto
==============================================================================
--- httpd/httpd/trunk/changes-entries/systemd-selinux.patch (added)
+++ httpd/httpd/trunk/changes-entries/systemd-selinux.patch Fri Mar 15 15:26:11 2024
@@ -0,0 +1,2 @@
+ *) mod_systemd: Log the SELinux context at startup if available and
+ enabled. [Joe Orton]
Modified: httpd/httpd/trunk/modules/arch/unix/config5.m4
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/arch/unix/config5.m4?rev=1916344&r1=1916343&r2=1916344&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/arch/unix/config5.m4 (original)
+++ httpd/httpd/trunk/modules/arch/unix/config5.m4 Fri Mar 15 15:26:11 2024
@@ -25,6 +25,11 @@ APACHE_MODULE(systemd, Systemd support,
AC_MSG_WARN([Your system does not support systemd.])
enable_systemd="no"
else
+ AC_CHECK_LIB(selinux, is_selinux_enabled, [
+ AC_DEFINE(HAVE_SELINUX, 1, [Defined if SELinux is supported])
+ APR_ADDTO(MOD_SYSTEMD_LDADD, [-lselinux])
+ ])
+
APR_ADDTO(MOD_SYSTEMD_LDADD, [$SYSTEMD_LIBS])
fi
])
Modified: httpd/httpd/trunk/modules/arch/unix/mod_systemd.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/arch/unix/mod_systemd.c?rev=1916344&r1=1916343&r2=1916344&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/arch/unix/mod_systemd.c (original)
+++ httpd/httpd/trunk/modules/arch/unix/mod_systemd.c Fri Mar 15 15:26:11 2024
@@ -29,6 +29,10 @@
#include "scoreboard.h"
#include "mpm_common.h"
+#ifdef HAVE_SELINUX
+#include <selinux/selinux.h>
+#endif
+
#include "systemd/sd-daemon.h"
#if APR_HAVE_UNISTD_H
@@ -45,6 +49,20 @@ static int systemd_pre_config(apr_pool_t
return OK;
}
+#ifdef HAVE_SELINUX
+static void log_selinux_context(void)
+{
+ char *con;
+
+ if (is_selinux_enabled() && getcon(&con) == 0) {
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
+ APLOGNO(10497) "SELinux is enabled; "
+ "httpd running as context %s", con);
+ freecon(con);
+ }
+}
+#endif
+
/* Report the service is ready in post_config, which could be during
* startup or after a reload. The server could still hit a fatal
* startup error after this point during ap_run_mpm(), so this is
@@ -52,9 +70,16 @@ static int systemd_pre_config(apr_pool_t
* the TCP ports so new connections will not be rejected. There will
* always be a possible async failure event simultaneous to the
* service reporting "ready", so this should be good enough. */
-static int systemd_post_config(apr_pool_t *p, apr_pool_t *plog,
+static int systemd_post_config(apr_pool_t *pconf, apr_pool_t *plog,
apr_pool_t *ptemp, server_rec *main_server)
{
+ if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG)
+ return OK;
+
+#ifdef HAVE_SELINUX
+ log_selinux_context();
+#endif
+
sd_notify(0, "READY=1\n"
"STATUS=Configuration loaded.\n");
return OK;