Solutions

Apache Web Agent 5.x does not start after installing it on RHEL or CentOS configured with SELinux

Last updated Dec 16, 2019

The purpose of this article is to provide assistance if the Apache web agent does not start after installing it on a Red Hat® Enterprise Linux® (RHEL) or CentOS system configured with SELinux in Enforcing mode. You will see messages about the "httpd.service failed" and "Failed to start The Apache HTTP Server".


Symptoms

When starting the Apache web agent, you get an error similar to the following:

Redirecting to /bin/systemctl start  httpd.service
Job for httpd.service failed because the control process exited with error code. See “systemctl status httpd.service” and “journalctl -xe” for details.
[root@localhost home]# service httpd status
Redirecting to /bin/systemctl status  httpd.service
● httpd.service - The Apache HTTP Server
  Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
  Active: failed (Result: exit-code) since Mon 2019-10-21 13:26:46 BST; 6s ago
    Docs: man:httpd(8)
          man:apachectl(8)
 Process: 23823 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=1/FAILURE)
 Process: 23822 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
Main PID: 23822 (code=exited, status=1/FAILURE)
Oct 21 13:26:46 localhost.localdomain systemd[1]: Starting The Apache HTTP Server...
Oct 21 13:26:46 localhost.localdomain httpd[23822]: httpd: Syntax error on line 359 of /etc/httpd/conf/httpd.conf: Cannot load /opt/agents/web_agents/apache24_agent/b...ion denied
Oct 21 13:26:46 localhost.localdomain systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Oct 21 13:26:46 localhost.localdomain kill[29010]: kill: cannot find process ""
Oct 21 13:26:46 localhost.localdomain systemd[1]: httpd.service: control process exited, code=exited status=1
Oct 21 13:26:46 localhost.localdomain systemd[1]: Failed to start The Apache HTTP Server.
Oct 21 13:26:46 localhost.localdomain systemd[1]: Unit httpd.service entered failed state.
Oct 21 13:26:46 localhost.localdomain systemd[1]: httpd.service failed.
Hint: Some lines were ellipsized, use -l to show in full.

Observe the truncated line ending ...ion denied. In full, this states "Permission denied".

Alternatively, the web agent may start successfully but you then see one of the following notices in the error_log:

  • Unable to make event channel object:
    [amagent:notice] [pid 5926:tid 139633967494912] amagent unable to make event channel object /opt/agents/web_agents/apache24_agent/lib/../log/monitor_0.pipe 13
    
  • No read/write/execute access:
    [amagent:notice] [pid : tid  ] startup error: no read/write/execute access to /opt/agents/web_agents/apache24_agent/lib/../log

Recent Changes

Installed, or upgraded to Apache web agent 5.x on Linux with SELinux in Enforcing mode.

Causes

When SELinux is in Enforcing mode (which enforces all configured parameters and logs any violations to the /var/log/audit/audit.log file), it can prevent external .so files being loaded. It can also cause other permission errors on pipes, reading configuration files and writing to log directories.

You can check what mode SELinux is in using the following command:

getenforce

Solution

This issue can be resolved by making SELinux context changes to the agent configuration files as follows:

  1. Create a file called mod_am_agent.te with the following contents:
    > cat mod_am_agent.te
    module mod_am_agent 1.0;
    require {
    type httpd_t;
    type httpd_sys_rw_content_t;
    class fifo_file { write setattr read create unlink open };
    }
    
    #============= httpd_t ==============
    allow httpd_t httpd_sys_rw_content_t:fifo_file {write setattr read create unlink open };
    
    >
    
  2. Compile and apply the new configuration for creating the pipe file using the following commands:
    sudo checkmodule -M -m -o mod_am_agent.mod mod_am_agent.te
    sudo semodule_package -o mod_am_agent.pp -m mod_am_agent.mod
    sudo semodule -i mod_am_agent.pp
    
  3. Run the following commands to update the HTTP settings to give permission to access the configuration, load the module, and write to debug and audit logs. Also set the booleans to allow access to AM. For example:
    sudo semanage fcontext -a -t httpd_config_t "/opt/agents(/.*)?"
    sudo semanage fcontext -a -t httpd_config_t "/opt/agents/web_agents(/.*)?"
    sudo semanage fcontext -a -t httpd_modules_t "/opt/agents/web_agents/apache24_agent/lib(/mod_openam.so)?"
    sudo semanage fcontext -a -t httpd_sys_rw_content_t "/opt/agents/web_agents/apache24_agent/log(/.*)?"
    sudo semanage fcontext -a -t httpd_config_t "/opt/agents/web_agents/.*_agent/instances/agent_.*/config(/.*)?"
    sudo semanage fcontext -a -t httpd_log_t "/opt/agents/web_agents/.*_agent/instances/agent_.*/logs/debug(/.*)?"
    sudo semanage fcontext -a -t httpd_log_t "/opt/agents/web_agents/.*_agent/instances/agent_.*/logs/audit(/.*)?"
    sudo setsebool -P httpd_can_network_connect on
    sudo setsebool -P httpd_can_network_relay on
    sudo restorecon -R -v /opt/agents
    
  4. Start and stop the httpd service, and make a request to an authenticated page.

Alternatively, you can temporarily disable SELinux using the following command, which will allow the agent to start (although SELinux is re-enabled when the system is next restarted):

setenforce Permissive

See Web Agents 5.5 › User Guide › Solutions to Common Issues for further information. 

See Also

Security-Enhanced Linux User Guide

SELinux

Related Training

N/A

Related Issue Tracker IDs

N/A



Copyright and TrademarksCopyright © 2019 ForgeRock, all rights reserved.
Loading...