Solutions
ForgeRock Identity Platform
ForgeRock Identity Cloud

Apache Web Agent (All versions) does not start after installing it on RHEL or CentOS configured with SELinux

Last updated Oct 5, 2021

The purpose of this article is to provide assistance if the Apache web agent does not start after installing it on a Red Hat® Enterprise Linux® (RHEL) or CentOS system configured with SELinux in Enforcing mode. You will see messages about the "httpd.service failed" and "Failed to start The Apache HTTP Server".


1 reader recommends this article

Symptoms

When starting the Apache web agent, you get an error similar to the following:

Redirecting to /bin/systemctl start httpd.service Job for httpd.service failed because the control process exited with error code. See “systemctl status httpd.service” and “journalctl -xe” for details. [root@localhost home]# service httpd status Redirecting to /bin/systemctl status httpd.service ● httpd.service - The Apache HTTP Server  Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)   Active: failed (Result: exit-code) since Mon 2019-10-21 13:26:46 BST; 6s ago     Docs: man:httpd(8)           man:apachectl(8)  Process: 23823 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=1/FAILURE)  Process: 23822 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE) Main PID: 23822 (code=exited, status=1/FAILURE) Oct 21 13:26:46 localhost.localdomain systemd[1]: Starting The Apache HTTP Server... Oct 21 13:26:46 localhost.localdomain httpd[23822]: httpd: Syntax error on line 359 of /etc/httpd/conf/httpd.conf: Cannot load /opt/agents/web_agents/apache24_agent/b...ion denied Oct 21 13:26:46 localhost.localdomain systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE Oct 21 13:26:46 localhost.localdomain kill[29010]: kill: cannot find process "" Oct 21 13:26:46 localhost.localdomain systemd[1]: httpd.service: control process exited, code=exited status=1 Oct 21 13:26:46 localhost.localdomain systemd[1]: Failed to start The Apache HTTP Server. Oct 21 13:26:46 localhost.localdomain systemd[1]: Unit httpd.service entered failed state. Oct 21 13:26:46 localhost.localdomain systemd[1]: httpd.service failed. Hint: Some lines were ellipsized, use -l to show in full.

Observe the truncated line ending ...ion denied. In full, this states "Permission denied".

Alternatively, the web agent may start successfully but you then see one of the following notices in the error_log:

  • Unable to make event channel object: [amagent:notice] [pid 5926:tid 139633967494912] amagent unable to make event channel object /opt/agents/web_agents/apache24_agent/lib/../log/monitor_0.pipe 13
  • No read/write/execute access: [amagent:notice] [pid : tid ] startup error: no read/write/execute access to /opt/agents/web_agents/apache24_agent/lib/../log

Recent Changes

Installed, or upgraded the Apache web agent on Linux with SELinux in Enforcing mode.

Causes

When SELinux is in Enforcing mode (which enforces all configured parameters and logs any violations to the /var/log/audit/audit.log file), it can prevent external .so files being loaded. It can also cause other permission errors on pipes, reading configuration files and writing to log directories.

You can check what mode SELinux is in using the following command:

getenforce

Solution

This issue can be resolved by making SELinux context changes to the agent configuration files as follows:

  1. Create a file called mod_am_agent.te with the following contents: > cat mod_am_agent.te module mod_am_agent 1.0; require { type httpd_t; type httpd_sys_rw_content_t; class fifo_file { write setattr read create unlink open }; } #============= httpd_t ============== allow httpd_t httpd_sys_rw_content_t:fifo_file {write setattr read create unlink open }; >
  2. Compile and apply the new configuration for creating the pipe file using the following commands: sudo checkmodule -M -m -o mod_am_agent.mod mod_am_agent.te sudo semodule_package -o mod_am_agent.pp -m mod_am_agent.mod sudo semodule -i mod_am_agent.pp
  3. Run the following commands to update the HTTP settings to give the necessary permissions (to access the configuration, load the module, and write to debug and audit logs) and set the booleans to allow access to AM: sudo semanage fcontext -a -t httpd_config_t "/opt/agents(/.*)?" sudo semanage fcontext -a -t httpd_config_t "/opt/agents/web_agents(/.*)?" sudo semanage fcontext -a -t httpd_modules_t "/opt/agents/web_agents/apache24_agent/lib(/mod_openam.so)?" sudo semanage fcontext -a -t httpd_sys_rw_content_t "/opt/agents/web_agents/apache24_agent/log(/.*)?" sudo semanage fcontext -a -t httpd_config_t "/opt/agents/web_agents/.*_agent/instances/agent_.*/config(/.*)?" sudo semanage fcontext -a -t httpd_log_t "/opt/agents/web_agents/.*_agent/instances/agent_.*/logs/debug(/.*)?" sudo semanage fcontext -a -t httpd_log_t "/opt/agents/web_agents/.*_agent/instances/agent_.*/logs/audit(/.*)?" sudo setsebool -P httpd_can_network_connect on sudo setsebool -P httpd_can_network_relay on sudo restorecon -R -v /opt/agents
  4. Start and stop the httpd service, and make a request to an authenticated page.

Alternatively, you can temporarily disable SELinux using the following command, which will allow the agent to start (although SELinux is re-enabled when the system is next restarted):

setenforce Permissive

See Troubleshooting for further information. 

See Also

Security-Enhanced Linux User Guide

SELinux

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.