PR#26: - move SELinux context logging to mod_systemd from httpd binary - rpms/httpd

rpms / httpd

#26 - move SELinux context logging to mod_systemd from httpd binary

Merged a year ago by jorton. Opened 2 years ago by jorton.

rpms/ jorton/httpd relocate-selinux-logging into rawhide

Work around aarch64 build failures.

Joe Orton • a year ago

f5d2d48

- move SELinux context logging to mod_systemd from httpd binary

Joe Orton • a year ago

8c54e33

httpd-2.4.54-gettid.patch ~~httpd-2.4.43-gettid.patch~~

file renamed

+8 -10

		`@@ -14,9 +14,9 @@`

		`diff --git a/configure.in b/configure.in`
		`index 423d58d4b9a..60cbf7b7f81 100644`
		`- --- httpd-2.4.43/configure.in.gettid`
		`- +++ httpd-2.4.43/configure.in`
		`- @@ -478,7 +500,8 @@`
		`+ --- httpd-2.4.54/configure.in.gettid`
		`+ +++ httpd-2.4.54/configure.in`
		`+ @@ -502,22 +502,26 @@`
		`timegm \`
		`getpgid \`
		`fopen64 \`
		`@@ -26,9 +26,7 @@`
		`)`

		`dnl confirm that a void pointer is large enough to store a long integer`
		`- @@ -489,16 +512,19 @@`
		`- APR_ADDTO(HTTPD_LIBS, [-lselinux])`
		`- ])`
		`+ APACHE_CHECK_VOID_PTR_LEN`

		`-AC_CACHE_CHECK([for gettid()], ac_cv_gettid,`
		`+if test $ac_cv_func_gettid = no; then`
		`@@ -50,8 +48,8 @@`
		`fi`

		`dnl ## Check for the tm_gmtoff field in struct tm to get the timezone diffs`
		`- --- httpd-2.4.43/server/log.c.gettid`
		`- +++ httpd-2.4.43/server/log.c`
		`+ --- httpd-2.4.54/server/log.c.gettid`
		`+ +++ httpd-2.4.54/server/log.c`
		`@@ -55,7 +55,7 @@`
		`#include "ap_mpm.h"`
		`#include "ap_listen.h"`
		`@@ -61,7 +59,7 @@`
		`#include <sys/syscall.h>`
		`#include <sys/types.h>`
		`#endif`
		`- @@ -625,14 +625,18 @@`
		`+ @@ -627,14 +627,18 @@`
		`#if APR_HAS_THREADS`
		`int result;`
		`#endif`
		`@@ -82,7 +80,7 @@`
		`#if APR_HAS_THREADS`
		`if (ap_mpm_query(AP_MPMQ_IS_THREADED, &result) == APR_SUCCESS`
		`&& result != AP_MPMQ_NOT_SUPPORTED)`
		`- @@ -966,7 +970,7 @@`
		`+ @@ -968,7 +972,7 @@`
		`#if APR_HAS_THREADS`
		`field_start = len;`
		`len += cpystrn(buf + len, ":tid ", buflen - len);`

httpd-2.4.54-selinux.patch

file modified

+46 -45

		`@@ -1,24 +1,22 @@`
		`diff --git a/configure.in b/configure.in`
		`index 74015ca..8c0ee10 100644`
		`- --- a/configure.in`
		`- +++ b/configure.in`
		`- @@ -508,6 +508,11 @@ getloadavg`
		`- dnl confirm that a void pointer is large enough to store a long integer`
		`- APACHE_CHECK_VOID_PTR_LEN`
		`-`
		`- +AC_CHECK_LIB(selinux, is_selinux_enabled, [`
		`- + AC_DEFINE(HAVE_SELINUX, 1, [Defined if SELinux is supported])`
		`- + APR_ADDTO(HTTPD_LIBS, [-lselinux])`
		`- +])`
		`- +`
		`- AC_CACHE_CHECK([for gettid()], ac_cv_gettid,`
		`- [AC_TRY_RUN(#define _GNU_SOURCE`
		`- #include <unistd.h>`
		`- diff --git a/server/core.c b/server/core.c`
		`- index a6fa2fb..cf4cba4 100644`
		`- --- a/server/core.c`
		`- +++ b/server/core.c`
		`- @@ -65,6 +65,10 @@`
		`+ --- httpd-2.4.54/modules/arch/unix/config5.m4.selinux`
		`+ +++ httpd-2.4.54/modules/arch/unix/config5.m4`
		`+ @@ -23,6 +23,11 @@`
		`+ AC_MSG_WARN([Your system does not support systemd.])`
		`+ enable_systemd="no"`
		`+ else`
		`+ + AC_CHECK_LIB(selinux, is_selinux_enabled, [`
		`+ + AC_DEFINE(HAVE_SELINUX, 1, [Defined if SELinux is supported])`
		`+ + APR_ADDTO(MOD_SYSTEMD_LDADD, [-lselinux])`
		`+ + ])`
		`+ +`
		`+ APR_ADDTO(MOD_SYSTEMD_LDADD, [$SYSTEMD_LIBS])`
		`+ fi`
		`+ ])`
		`+ --- httpd-2.4.54/modules/arch/unix/mod_systemd.c.selinux`
		`+ +++ httpd-2.4.54/modules/arch/unix/mod_systemd.c`
		`+ @@ -35,6 +35,10 @@`
		`#include <unistd.h>`
		`#endif`

		`@@ -26,35 +24,38 @@`
		`+#include <selinux/selinux.h>`
		`+#endif`
		`+`
		`- /* LimitRequestBody handling */`
		`- #define AP_LIMIT_REQ_BODY_UNSET ((apr_off_t) -1)`
		`- #define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 1<<30) /* 1GB */`
		`- @@ -5150,6 +5154,28 @@ static int core_post_config(apr_pool_t pconf, apr_pool_t plog, apr_pool_t *pte`
		`- }`
		`- #endif`
		`+ APR_DECLARE_OPTIONAL_FN(int,`
		`+ ap_find_systemd_socket, (process_rec *, apr_port_t));`
		`+`
		`+ @@ -70,6 +74,20 @@`
		`+ return apr_psprintf(p, "%s port %u", addr, sa->port);`
		`+ }`

		`+#ifdef HAVE_SELINUX`
		`- + {`
		`- + static int already_warned = 0;`
		`- + int is_enabled = is_selinux_enabled() > 0;`
		`- +`
		`- + if (is_enabled && !already_warned) {`
		`- + security_context_t con;`
		`- +`
		`- + if (getcon(&con) == 0) {`
		`- +`
		`- + ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,`
		`- + "SELinux policy enabled; "`
		`- + "httpd running as context %s", con);`
		`- +`
		`- + already_warned = 1;`
		`- +`
		`- + freecon(con);`
		`- + }`
		`- + }`
		`+ +static void log_selinux_context(void)`
		`+ +{`
		`+ + char *con;`
		`+ +`
		`+ + if (is_selinux_enabled() && getcon(&con) == 0) {`
		`+ + ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,`
		`+ + "SELinux policy enabled; "`
		`+ + "httpd running as context %s", con);`
		`+ + freecon(con);`
		`+ }`
		`+ +}`
		`+#endif`
		`+`
		`- return OK;`
		`- }`
		`+ /* Report the service is ready in post_config, which could be during`
		`+ * startup or after a reload. The server could still hit a fatal`
		`+ * startup error after this point during ap_run_mpm(), so this is`
		`+ @@ -87,6 +105,10 @@`
		`+ if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG)`
		`+ return OK;`
		`+`
		`+ +#ifdef HAVE_SELINUX`
		`+ + log_selinux_context();`
		`+ +#endif`
		`+ +`
		`+ for (lr = ap_listeners; lr; lr = lr->next) {`
		`+ char *s = dump_listener(lr, ptemp);`

httpd.spec

file modified

+21 -4

		`@@ -24,7 +24,7 @@`
		`Summary: Apache HTTP Server`
		`Name: httpd`
		`Version: 2.4.54`
		`- Release: 8%{?dist}`
		`+ Release: 9%{?dist}`
		`URL: https://httpd.apache.org/`
		`Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2`
		`Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc`
		`@@ -86,7 +86,7 @@`
		`Patch23: httpd-2.4.53-export.patch`
		`Patch24: httpd-2.4.43-corelimit.patch`
		`Patch25: httpd-2.4.54-selinux.patch`
		`- Patch26: httpd-2.4.43-gettid.patch`
		`+ Patch26: httpd-2.4.54-gettid.patch`
		`Patch27: httpd-2.4.54-icons.patch`
		`Patch30: httpd-2.4.43-cachehardmax.patch`
		`Patch34: httpd-2.4.43-socket-activation.patch`
		`@@ -150,7 +150,7 @@`
		`%package devel`
		`Summary: Development interfaces for the Apache HTTP Server`
		`Requires: apr-devel, apr-util-devel, pkgconfig, libtool`
		`- Requires: httpd-core = %{version}-%{release}`
		`+ Requires: httpd-core = 0:%{version}-%{release}`

		`%description devel`
		`The httpd-devel package contains the APXS binary and other files`
		`@@ -254,7 +254,6 @@`
		`%patch22 -p1 -b .mod_systemd`
		`%patch23 -p1 -b .export`
		`%patch24 -p1 -b .corelimit`
		`- %patch25 -p1 -b .selinux`
		`%patch26 -p1 -b .gettid`
		`%patch27 -p1 -b .icons`
		`%patch30 -p1 -b .cachehardmax`
		`@@ -266,6 +265,7 @@`
		`%patch42 -p1 -b .r1828172+`
		`%patch45 -p1 -b .logjournal`
		`%patch46 -p1 -b .separatesystemd`
		`+ %patch25 -p1 -b .selinux`

		`%patch60 -p1 -b .enable-sslv3`
		`%patch61 -p1 -b .r1878890`
		`@@ -338,6 +338,13 @@`
		`# Hard-code path to links to avoid unnecessary builddep`
		`export LYNX_PATH=/usr/bin/links`

		`+ %ifarch aarch64`
		`+ # The configure check for epoll_create() is failing. httpd/apr only`
		`+ # actually uses epoll_create1() so this test could be smarter. Work`
		`+ # around it for now.`
		`+ export ac_cv_func_epoll_create=yes`
		`+ %endif`
		`+`
		`# Build the daemon`
		`./configure \`
		`--prefix=%{_sysconfdir}/httpd \`
		`@@ -384,6 +391,13 @@`
		`--disable-http2 \`
		`--disable-md \`
		`$*`
		`+`
		`+ if grep -q ac_cv_have_threadsafe_pollset=no config.log; then`
		`+ cat config.log`
		`+ : Failed to find thread-safe APR.`
		`+ exit 1`
		`+ fi`
		`+`
		`%make_build`

		`%install`
		`@@ -840,6 +854,9 @@`
		`%{_rpmconfigdir}/macros.d/macros.httpd`

		`%changelog`
		`+ * Mon Dec 19 2022 Joe Orton <jorton@redhat.com> - 2.4.54-9`
		`+ - move SELinux context logging to mod_systemd`
		`+`
		`* Mon Dec 19 2022 Joe Orton <jorton@redhat.com> - 2.4.54-8`
		`- define _httpd_statedir macro`