Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

mod_systemd: if SELinux is available and enabled, log the SELinux #422

Closed
wants to merge 2 commits into from
Closed

mod_systemd: if SELinux is available and enabled, log the SELinux #422

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ce5c51e
mod_systemd: if SELinux is available and enabled, log the SELinux
notroj Mar 15, 2024
eb63bd9
Have at least one CI job build mod_systemd.
notroj Mar 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion .github/workflows/linux.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -246,7 +246,8 @@ jobs:
TEST_INSTALL=1
TEST_MOD_TLS=1
- name: Configured w/reduced exports
config: --enable-reduced-exports --enable-maintainer-mode
config: --enable-reduced-exports --enable-maintainer-mode --enable-systemd
pkgs: libsystemd-dev
env: |
SKIP_TESTING=1
TEST_INSTALL=1
Expand Down
2 changes: 2 additions & 0 deletions changes-entries/systemd-selinux.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
*) mod_systemd: Log the SELinux context at startup if available and
enabled. [Joe Orton]
5 changes: 5 additions & 0 deletions modules/arch/unix/config5.m4
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,11 @@ APACHE_MODULE(systemd, Systemd support, , , no, [
AC_MSG_WARN([Your system does not support systemd.])
enable_systemd="no"
else
AC_CHECK_LIB(selinux, is_selinux_enabled, [
AC_DEFINE(HAVE_SELINUX, 1, [Defined if SELinux is supported])
APR_ADDTO(MOD_SYSTEMD_LDADD, [-lselinux])
])

APR_ADDTO(MOD_SYSTEMD_LDADD, [$SYSTEMD_LIBS])
fi
])
Expand Down
27 changes: 26 additions & 1 deletion modules/arch/unix/mod_systemd.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,10 @@
#include "scoreboard.h"
#include "mpm_common.h"

#ifdef HAVE_SELINUX
#include <selinux/selinux.h>
#endif

#include "systemd/sd-daemon.h"

#if APR_HAVE_UNISTD_H
Expand All @@ -45,16 +49,37 @@ static int systemd_pre_config(apr_pool_t *pconf, apr_pool_t *plog,
return OK;
}

#ifdef HAVE_SELINUX
static void log_selinux_context(void)
{
char *con;

if (is_selinux_enabled() && getcon(&con) == 0) {
ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
APLOGNO(10497) "SELinux is enabled; "
"httpd running as context %s", con);
freecon(con);
}
}
#endif

/* Report the service is ready in post_config, which could be during
* startup or after a reload. The server could still hit a fatal
* startup error after this point during ap_run_mpm(), so this is
* perhaps too early, but by post_config listen() has been called on
* the TCP ports so new connections will not be rejected. There will
* always be a possible async failure event simultaneous to the
* service reporting "ready", so this should be good enough. */
static int systemd_post_config(apr_pool_t *p, apr_pool_t *plog,
static int systemd_post_config(apr_pool_t *pconf, apr_pool_t *plog,
apr_pool_t *ptemp, server_rec *main_server)
{
if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG)
return OK;

#ifdef HAVE_SELINUX
log_selinux_context();
#endif

sd_notify(0, "READY=1\n"
"STATUS=Configuration loaded.\n");
return OK;
Expand Down
Loading