Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: Travis Fraser <travis@×××××××××.net>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] SELinux and Apache - no pid file?
Date: Fri, 07 Oct 2005 02:27:39
Message-Id: 1128651907.17904.6.camel@bugaboo.snowpatch.net
In Reply to: Re: [gentoo-hardened] SELinux and Apache - no pid file? by Chris PeBenito
1 On Thu, 2005-10-06 at 22:00 -0400, Chris PeBenito wrote:
2 > On Thu, 2005-10-06 at 14:18 -0400, Albert Lash wrote:
3 > > The problem I am experiencing is when I restart apache. I do this as root,
4 > > su'd from a user with SELinux role staff_r and sysadm_r. I first login via
5 > > ssh as a normal user, then I newrole -r sysadm_r, then I su, and then I
6 > > /etc/init.d/apache2 restart. I get a warning that there is not pid. So
7 > > then I have to kill the process identified by ps -A, and then
8 > > /etc/init.d/apache start. (Whenever I run an init script, I have to
9 > > authenticate as the original user who has the sysadm_r role). The server
10 > > starts fine, but seems to have a delay before I can access the server via
11 > > a browser. Even when the server starts responding to browser requests, no
12 > > pid file is written to /var/run. There aren't even any denials in the
13 > > /var/log/messages files, which still wouldnt' prevent a pid file from
14 > > getting written, as I am in permissive mode.
15 >
16 It seems to have something to do with entropy?. See this thread:
17 http://forums.gentoo.org/viewtopic-t-384660-highlight-apache+pid.html
18
19 specifically this part:
20 MY_BUILTINS="--with-devrandom=/dev/urandom" emerge apache
21
22 This solved the exact problem for me even though I had no problems on
23 other servers (no selinux on any of them though).
24
25 > If this doesn't work in permissive, then it points to something not
26 > SELinux related being wrong. I suggest looking at the apache logs for
27 > errors, and also check DAC perms.
28 >
29 > > I have also tried the SELinux run_init command before the ini script with
30 > > the same results.
31 >
32 > This won't help because Gentoo already has run_init integrated into the
33 > init script system.
34 >
35 > > Is this standard behavior for Apache2 on SELinux?
36 >
37 > No, I can't reproduce it on my enforcing systems.
38 >
39 --
40 Travis Fraser <travis@×××××××××.net>
41
42 --
43 gentoo-hardened@g.o mailing list

Replies

Subject Author
Re: [gentoo-hardened] SELinux and Apache - no pid file? Albert Lash <alby@××××××××.net>
Report Message
Find on MARC Find on Google Groups