Hello,I am wondering if the attached patch creates the actual intended behavior? Specifically, at which point httpd calls setcon() when the selinuxServerDomain option is set.
The current code ends up calling setcon after sockets have been opened, at least if the prefork mpm is in use. Here's the current path: apache calls these hooks in this order: pre_config, check_config, open_logs, post_config. The prefork mpm opens the listening sockets in open_logs, and mod_selinux does setcon() in post_config. However, I noticed that the selinuxServerDomain option has the EXEC_ON_READ option set... and I noticed issues with labeled networking having the setcon() called after the listening sockets are opened.
The attached patch deletes (well, in this version just comments out...) the mod_selinux post_config hook, and calls the routine directly from the set_server_domain option-processing hook. This, because of the EXEC_ON_READ option, is executed immediately upon finding a selinuxServerDomain option in a httpd config file. Thus, setcon() is called before sockets are opened.
Josh
--- mod_selinux.c.old 2010-03-03 11:40:14.886608228 -0500
+++ mod_selinux.c 2010-03-03 11:40:19.019609063 -0500
@@ -394,8 +394,10 @@
if (is_selinux_enabled() < 1)
return;
+/*
ap_hook_post_config(selinux_post_config,
NULL, NULL, APR_HOOK_MIDDLE);
+*/
ap_hook_post_read_request(selinux_post_read_request,
NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_handler(selinux_handler,
@@ -470,6 +472,8 @@
{
server_domain = apr_pstrdup(cmd->pool, v1);
+ selinux_post_config(NULL, NULL, cmd->temp_pool, cmd->server);
+
return NULL;
}
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
