Wednesday, July 12, 2006

Red Hat Cluster Manager - SELinux headache

Simptom:
Red Hat Cluster Manager telah dikonfigur dengan mengikut prosedur seperti dalam manual tetapi Apache masih gagal start. Lihatlah hasil yang gagal:

Free Image Hosting at www.ImageShack.us Free Image Hosting at www.ImageShack.us Free Image Hosting at www.ImageShack.us

Output /var/log/messages:
Jul 12 01:17:42 gfs1 clurgmgrd[2612]: #43: Service Apache HTTP Service has failed; can not start.
Jul 12 01:17:42 gfs1 clurgmgrd[2612]: #13: Service Apache HTTP Service failed to stop cleanly
Jul 12 01:17:46 gfs1 clurgmgrd[2612]: Stopping service Apache HTTP Service
Jul 12 01:17:46 gfs1 clurgmgrd: [2612]: Executing /etc/rc.d/init.d/httpd stop
Jul 12 01:17:46 gfs1 httpd: httpd shutdown failed
Jul 12 01:17:46 gfs1 clurgmgrd[2612]: stop on script "Apache HTTP Server" returned 1 (generic error)
Jul 12 01:17:46 gfs1 clurgmgrd[2612]: #12: RG Apache HTTP Service failed to stop; intervention required
Jul 12 01:17:46 gfs1 clurgmgrd[2612]: Service Apache HTTP Service is failed
Jul 12 01:18:04 gfs1 kernel: audit(1152638284.918:3): avc: denied { getattr } for pid=3713 comm="httpd" name="/" dev=sda2
ino=2 scontext=root:system_r:httpd_t tcontext=system_u:object_r:file_t tclass=dir
Jul 12 01:18:04 gfs1 httpd: Syntax error on line 265 of /etc/httpd/conf/httpd.conf:
Jul 12 01:18:04 gfs1 httpd: DocumentRoot must be a directory
Jul 12 01:18:04 gfs1 httpd: httpd startup failed
Jul 12 01:18:53 gfs1 ccsd[2353]: Update of cluster.conf complete (version 12 -> 14).
Jul 12 01:18:58 gfs1 clurgmgrd[2612]: #43: Service Apache HTTP Service has failed; can not start.
Jul 12 01:18:58 gfs1 clurgmgrd[2612]: #13: Service Apache HTTP Service failed to stop cleanly
Jul 12 01:18:59 gfs1 clurgmgrd[2612]: Reconfiguring
Jul 12 01:18:59 gfs1 clurgmgrd[2612]: Loading Service Data
Jul 12 01:19:00 gfs1 clurgmgrd[2612]: Stopping changed resources.
Jul 12 01:19:00 gfs1 clurgmgrd[2612]: Restarting changed resources.
Jul 12 01:19:00 gfs1 clurgmgrd[2612]: Starting changed resources.
Jul 12 01:19:15 gfs1 kernel: audit(1152638355.397:4): avc: denied { getattr } for pid=3872 comm="httpd" name="/" dev=sda2
ino=2 scontext=root:system_r:httpd_t tcontext=system_u:object_r:file_t tclass=dir
Jul 12 01:19:15 gfs1 httpd: Syntax error on line 265 of /etc/httpd/conf/httpd.conf:
Jul 12 01:19:15 gfs1 httpd: DocumentRoot must be a directory
Jul 12 01:19:15 gfs1 httpd: httpd startup failed
Jul 12 01:21:26 gfs1 clurgmgrd[2612]: Stopping service Apache HTTP Service
Jul 12 01:21:26 gfs1 clurgmgrd: [2612]: Executing /etc/rc.d/init.d/httpd stop
Jul 12 01:21:26 gfs1 httpd: httpd shutdown failed
Jul 12 01:21:26 gfs1 clurgmgrd[2612]: stop on script "Apache HTTP Server" returned 1 (generic error)
Jul 12 01:21:26 gfs1 clurgmgrd[2612]: #12: RG Apache HTTP Service failed to stop; intervention required
Jul 12 01:21:26 gfs1 clurgmgrd[2612]: Service Apache HTTP Service is failed
Jul 12 01:21:30 gfs1 clurgmgrd[2612]: #43: Service Apache HTTP Service has failed; can not start.
Jul 12 01:21:30 gfs1 clurgmgrd[2612]: #13: Service Apache HTTP Service failed to stop cleanly
Jul 12 01:21:40 gfs1 httpd: httpd startup succeeded
Jul 12 01:23:41 gfs1 clurgmgrd[2612]: #43: Service Apache HTTP Service has failed; can not start.
Jul 12 01:23:41 gfs1 clurgmgrd[2612]: #13: Service Apache HTTP Service failed to stop cleanly

Menurut error messages, seperti ada kaitan dengan SELinux. Maka sepantas kilat, protection SELinux untuk httpd di"disable"kan.

Edit fail /etc/selinux/targeted/booleans & letakkan entri di bawah:
httpd_disable_trans=0

Boleh juga guna utiliti system-config-securitylevel & tandakan pada kotak Disable SELinux protection for httpd daemon

Voila! Servis httpd berjaya dihidupkan. Hasil yang berjaya:

Free Image Hosting at www.ImageShack.us

Output /var/log/messages:
Jul 12 01:24:40 gfs1 kernel: audit(1152638680.024:5): avc: granted { setbool } for pid=4186 comm="setsebool" scontext=root:system_r:unconfined_t tcontext=system_u:object_r:security_t tclass=security
Jul 12 01:24:40 gfs1 setsebool: /etc/selinux/targeted/booleans has been updated.
Jul 12 01:24:40 gfs1 kernel: audit(1152638680.026:6): avc: granted { setbool } for pid=4186 comm="setsebool" scontext=root:system_r:unconfined_t tcontext=system_u:object_r:security_t tclass=security
Jul 12 01:24:40 gfs1 kernel: security: committed booleans { use_nfs_home_dirs:0, use_samba_home_dirs:0, httpd_unified:1, httpd_builtin_scripting:1, httpd_enable_cgi:1, httpd_enable_homedirs:1, httpd_ssi_exec:1, httpd_tty_comm:0, httpd_disable_trans:1, dhcpd_disable_trans:0, mysqld_disable_trans:0, named_disable_trans:0, named_write_master_zones:0, nscd_disable_trans:0, ntpd_disable_trans:0, pegasus_disable_trans:0, portmap_disable_trans:0, postgresql_disable_trans:0, snmpd_disable_trans:0, squid_disable_trans:0, syslogd_disable_trans:0, use_syslogng:0, allow_syslog_to_console:0, winbind_disable_trans:0, ypbind_disable_trans:0, allow_ypbind:0 }
Jul 12 01:24:40 gfs1 dbus: Can't send to audit system: USER_AVC pid=2586 uid=81 loginuid=-1 message=avc: received policyload notice (seqno=1)
Jul 12 01:24:40 gfs1 dbus: Can't send to audit system: USER_AVC pid=2586 uid=81 loginuid=-1 message=avc: 1 AV entries and 1/512 buckets used, longest chain length 1
Jul 12 01:24:40 gfs1 setsebool: The httpd_disable_trans policy boolean was changed to 1 by root
Jul 12 01:24:41 gfs1 kernel: ip_tables: (C) 2000-2002 Netfilter core team
Jul 12 01:24:45 gfs1 clurgmgrd[2612]: Stopping service Apache HTTP Service
Jul 12 01:24:45 gfs1 clurgmgrd: [2612]: Executing /etc/rc.d/init.d/httpd stop
Jul 12 01:24:47 gfs1 httpd: httpd shutdown succeeded
Jul 12 01:24:47 gfs1 clurgmgrd: [2612]: Removing IPv4 address 10.0.1.100 from eth0
Jul 12 01:24:57 gfs1 clurgmgrd: [2612]: /dev/sda2 is not mounted
Jul 12 01:24:59 gfs1 clurgmgrd[2612]: Service Apache HTTP Service is disabled
Jul 12 01:25:46 gfs1 clurgmgrd[2612]: Starting disabled service Apache HTTP Service
Jul 12 01:25:46 gfs1 clurgmgrd: [2612]: mounting /dev/sda2 on /var/www/html/
Jul 12 01:25:46 gfs1 kernel: kjournald starting. Commit interval 5 seconds
Jul 12 01:25:46 gfs1 kernel: EXT3 FS on sda2, internal journal
Jul 12 01:25:46 gfs1 kernel: EXT3-fs: mounted filesystem with ordered data mode.
Jul 12 01:25:46 gfs1 kernel: SELinux: initialized (dev sda2, type ext3), uses xattr
Jul 12 01:25:46 gfs1 clurgmgrd: [2612]: Adding IPv4 address 10.0.1.100 to eth0
Jul 12 01:25:47 gfs1 clurgmgrd: [2612]: Executing /etc/rc.d/init.d/httpd start
Jul 12 01:25:48 gfs1 httpd: httpd startup succeeded
Jul 12 01:25:48 gfs1 clurgmgrd[2612]: Service Apache HTTP Service started
Jul 12 01:26:22 gfs1 clurgmgrd: [2612]: Device /dev/sda2 is mounted on /var/www/html instead of /var/www/html/
Jul 12 01:26:22 gfs1 clurgmgrd: [2612]: Executing /etc/rc.d/init.d/httpd status
Jul 12 01:26:52 gfs1 clurgmgrd: [2612]: Device /dev/sda2 is mounted on /var/www/html instead of /var/www/html/
Jul 12 01:26:52 gfs1 clurgmgrd: [2612]: Executing /etc/rc.d/init.d/httpd status
Jul 12 01:27:02 gfs1 clurgmgrd: [2612]: Device /dev/sda2 is mounted on /var/www/html instead of /var/www/html/
Jul 12 01:27:12 gfs1 clurgmgrd: [2612]: Device /dev/sda2 is mounted on /var/www/html instead of /var/www/html/
Jul 12 01:27:22 gfs1 clurgmgrd: [2612]: Executing /etc/rc.d/init.d/httpd status
Jul 12 01:27:33 gfs1 clurgmgrd: [2612]: Device /dev/sda2 is mounted on /var/www/html instead of /var/www/html/


posted by Irwan at 2:36 AM

1 Comments:

Anonymous Anonymous said...

May be should consider looking at SuSE AppArmour will reduce some of you headache.

Monday, July 24, 2006 12:03:00 PM  

Post a Comment

<< Home