From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org)
	by nuthatch.gentoo.org with esmtp (Exim 4.50)
	id 1ENrOs-00047q-PH
	for garchives@archives.gentoo.org; Fri, 07 Oct 2005 12:32:35 +0000
Received: from robin.gentoo.org (localhost [127.0.0.1])
	by robin.gentoo.org (8.13.5/8.13.5) with SMTP id j97CKRBl031528;
	Fri, 7 Oct 2005 12:20:27 GMT
Received: from thirteen.net (thirteen.net [216.243.24.131])
	by robin.gentoo.org (8.13.5/8.13.5) with ESMTP id j97CKP8E014747
	for <gentoo-hardened@lists.gentoo.org>; Fri, 7 Oct 2005 12:20:26 GMT
Received: from thirteen.net (localhost [127.0.0.1])
	by thirteen.net (8.12.10/8.12.10) with ESMTP id j97CfSW3020749
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <gentoo-hardened@lists.gentoo.org>; Fri, 7 Oct 2005 08:41:28 -0400
Received: from localhost (alby@localhost)
	by thirteen.net (8.12.10/8.12.8/Submit) with ESMTP id j97CfSM5020746
	for <gentoo-hardened@lists.gentoo.org>; Fri, 7 Oct 2005 08:41:28 -0400
Date: Fri, 7 Oct 2005 08:41:27 -0400 (EDT)
From: Albert Lash <alby@thirteen.net>
To: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] SELinux and Apache - no pid file?
In-Reply-To: <1128651907.17904.6.camel@bugaboo.snowpatch.net>
Message-ID: <Pine.LNX.4.58.0510070839540.20475@thirteen.net>
References: <Pine.LNX.4.58.0509241531450.5944@thirteen.net> 
 <Pine.LNX.4.58.0509241834290.9983@thirteen.net>  <Pine.LNX.4.58.0510061405510.18391@thirteen.net>
  <1128650436.26791.11.camel@gorn.pebenito.net> <1128651907.17904.6.camel@bugaboo.snowpatch.net>
Precedence: bulk
List-Post: <mailto:gentoo-hardened@lists.gentoo.org>
List-Help: <mailto:gentoo-hardened+help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-hardened+unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-hardened+subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-hardened.gentoo.org>
X-BeenThere: gentoo-hardened@gentoo.org
Reply-to: gentoo-hardened@lists.gentoo.org
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Archives-Salt: 43016a76-e120-42d1-9938-9ded0b156548
X-Archives-Hash: e6eb585be0ad7243211ac306c9a64384

Way to go Travis thank you for the link and advice, this fixed my issue!
As a follow up, the compilation gave me a warning about lazy bindings, and
suggested I compile with these additional options:

 CFLAGS="-Wl,-z,now"

I did so and it compiled OK.

Cheers!

Albert

On Thu, 6 Oct 2005, Travis Fraser wrote:

> On Thu, 2005-10-06 at 22:00 -0400, Chris PeBenito wrote:
> > On Thu, 2005-10-06 at 14:18 -0400, Albert Lash wrote:
> > > The problem I am experiencing is when I restart apache. I do this as root,
> > > su'd from a user with SELinux role staff_r and sysadm_r. I first login via
> > > ssh as a normal user, then I newrole -r sysadm_r, then I su, and then I
> > > /etc/init.d/apache2 restart. I get a warning that there is not pid. So
> > > then I have to kill the process identified by ps -A, and then
> > > /etc/init.d/apache start. (Whenever I run an init script, I have to
> > > authenticate as the original user who has the sysadm_r role). The server
> > > starts fine, but seems to have a delay before I can access the server via
> > > a browser. Even when the server starts responding to browser requests, no
> > > pid file is written to /var/run. There aren't even any denials in the
> > > /var/log/messages files, which still wouldnt' prevent a pid file from
> > > getting written, as I am in permissive mode.
> >
> It seems to have something to do with entropy?. See this thread:
> http://forums.gentoo.org/viewtopic-t-384660-highlight-apache+pid.html
>
> specifically this part:
> MY_BUILTINS="--with-devrandom=/dev/urandom" emerge apache
>
> This solved the exact problem for me even though I had no problems on
> other servers (no selinux on any of them though).
>
> > If this doesn't work in permissive, then it points to something not
> > SELinux related being wrong.  I suggest looking at the apache logs for
> > errors, and also check DAC perms.
> >
> > > I have also tried the SELinux run_init command before the ini script with
> > > the same results.
> >
> > This won't help because Gentoo already has run_init integrated into the
> > init script system.
> >
> > > Is this standard behavior for Apache2 on SELinux?
> >
> > No, I can't reproduce it on my enforcing systems.
> >
> --
> Travis Fraser <travis@snowpatch.net>
>
> --
> gentoo-hardened@gentoo.org mailing list
>
-- 
gentoo-hardened@gentoo.org mailing list