mod_systemd: if SELinux is available and enabled, log the SELinux

context at startup, since this may vary when httpd is started via systemd vs being started directly. * modules/arch/unix/mod_systemd.c (systemd_post_config): Do nothing for the pre-config iteration. Log the SELinux context if available. * modules/arch/unix/config5.m4: Detect libselinux. Have at least one CI job build mod_systemd. Github: closes #422 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1916344 13f79535-47bb-0310-9956-ffa450edef68 (cherry picked from commit 9b17700)
apache · Feb 10, 2025 · 36b5cc6 · 36b5cc6
1 parent 289ca22
commit 36b5cc6
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 1 deletion.
diff --git a/changes-entries/systemd-selinux.patch b/changes-entries/systemd-selinux.patch
@@ -0,0 +1,2 @@
+  *) mod_systemd: Log the SELinux context at startup if available and
+     enabled.  [Joe Orton]
diff --git a/modules/arch/unix/config5.m4 b/modules/arch/unix/config5.m4
@@ -23,6 +23,11 @@ APACHE_MODULE(systemd, Systemd support, , , no, [
     AC_MSG_WARN([Your system does not support systemd.])
     enable_systemd="no"
   else
+    AC_CHECK_LIB(selinux, is_selinux_enabled, [
+      AC_DEFINE(HAVE_SELINUX, 1, [Defined if SELinux is supported])
+      APR_ADDTO(MOD_SYSTEMD_LDADD, [-lselinux])
+    ])
+
     APR_ADDTO(MOD_SYSTEMD_LDADD, [$SYSTEMD_LIBS])
   fi
 ])

diff --git a/modules/arch/unix/mod_systemd.c b/modules/arch/unix/mod_systemd.c
@@ -29,6 +29,10 @@
 #include "scoreboard.h"
 #include "mpm_common.h"
 
+#ifdef HAVE_SELINUX
+#include <selinux/selinux.h>
+#endif
+
 #include "systemd/sd-daemon.h"
 
 #if APR_HAVE_UNISTD_H
@@ -45,16 +49,37 @@ static int systemd_pre_config(apr_pool_t *pconf, apr_pool_t *plog,
     return OK;
 }
 
+#ifdef HAVE_SELINUX
+static void log_selinux_context(void)
+{
+    char *con;
+
+    if (is_selinux_enabled() && getcon(&con) == 0) {
+        ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
+                     APLOGNO(10497) "SELinux is enabled; "
+                     "httpd running as context %s", con);
+        freecon(con);
+    }
+}
+#endif
+
 /* Report the service is ready in post_config, which could be during
  * startup or after a reload.  The server could still hit a fatal
  * startup error after this point during ap_run_mpm(), so this is
  * perhaps too early, but by post_config listen() has been called on
  * the TCP ports so new connections will not be rejected.  There will
  * always be a possible async failure event simultaneous to the
  * service reporting "ready", so this should be good enough. */
-static int systemd_post_config(apr_pool_t *p, apr_pool_t *plog,
+static int systemd_post_config(apr_pool_t *pconf, apr_pool_t *plog,
                                apr_pool_t *ptemp, server_rec *main_server)
 {
+    if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG)
+        return OK;
+
+#ifdef HAVE_SELINUX
+    log_selinux_context();
+#endif
+
     sd_notify(0, "READY=1\n"
               "STATUS=Configuration loaded.\n");
     return OK;
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		*) mod_systemd: Log the SELinux context at startup if available and
		enabled. [Joe Orton]