mod_systemd: if SELinux is available and enabled, log the SELinux
context at startup, since this may vary when httpd is started via
systemd vs being started directly.
* modules/arch/unix/mod_systemd.c (systemd_post_config):
Do nothing for the pre-config iteration.
Log the SELinux context if available.
* modules/arch/unix/config5.m4: Detect libselinux.
Have at least one CI job build mod_systemd.
Github: closes #422
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1916344 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
index 5a2c6ae..f98c9eb 100644
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -246,7 +246,8 @@
TEST_INSTALL=1
TEST_MOD_TLS=1
- name: Configured w/reduced exports
- config: --enable-reduced-exports --enable-maintainer-mode
+ config: --enable-reduced-exports --enable-maintainer-mode --enable-systemd
+ pkgs: libsystemd-dev
env: |
SKIP_TESTING=1
TEST_INSTALL=1
diff --git a/changes-entries/systemd-selinux.patch b/changes-entries/systemd-selinux.patch
new file mode 100644
index 0000000..154dfba
--- /dev/null
+++ b/changes-entries/systemd-selinux.patch
@@ -0,0 +1,2 @@
+ *) mod_systemd: Log the SELinux context at startup if available and
+ enabled. [Joe Orton]
diff --git a/modules/arch/unix/config5.m4 b/modules/arch/unix/config5.m4
index 9351fca..6544ae6 100644
--- a/modules/arch/unix/config5.m4
+++ b/modules/arch/unix/config5.m4
@@ -25,6 +25,11 @@
AC_MSG_WARN([Your system does not support systemd.])
enable_systemd="no"
else
+ AC_CHECK_LIB(selinux, is_selinux_enabled, [
+ AC_DEFINE(HAVE_SELINUX, 1, [Defined if SELinux is supported])
+ APR_ADDTO(MOD_SYSTEMD_LDADD, [-lselinux])
+ ])
+
APR_ADDTO(MOD_SYSTEMD_LDADD, [$SYSTEMD_LIBS])
fi
])
diff --git a/modules/arch/unix/mod_systemd.c b/modules/arch/unix/mod_systemd.c
index 2de1c9b..22482fd 100644
--- a/modules/arch/unix/mod_systemd.c
+++ b/modules/arch/unix/mod_systemd.c
@@ -29,6 +29,10 @@
#include "scoreboard.h"
#include "mpm_common.h"
+#ifdef HAVE_SELINUX
+#include <selinux/selinux.h>
+#endif
+
#include "systemd/sd-daemon.h"
#if APR_HAVE_UNISTD_H
@@ -45,6 +49,20 @@
return OK;
}
+#ifdef HAVE_SELINUX
+static void log_selinux_context(void)
+{
+ char *con;
+
+ if (is_selinux_enabled() && getcon(&con) == 0) {
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
+ APLOGNO(10497) "SELinux is enabled; "
+ "httpd running as context %s", con);
+ freecon(con);
+ }
+}
+#endif
+
/* Report the service is ready in post_config, which could be during
* startup or after a reload. The server could still hit a fatal
* startup error after this point during ap_run_mpm(), so this is
@@ -52,9 +70,16 @@
* the TCP ports so new connections will not be rejected. There will
* always be a possible async failure event simultaneous to the
* service reporting "ready", so this should be good enough. */
-static int systemd_post_config(apr_pool_t *p, apr_pool_t *plog,
+static int systemd_post_config(apr_pool_t *pconf, apr_pool_t *plog,
apr_pool_t *ptemp, server_rec *main_server)
{
+ if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG)
+ return OK;
+
+#ifdef HAVE_SELINUX
+ log_selinux_context();
+#endif
+
sd_notify(0, "READY=1\n"
"STATUS=Configuration loaded.\n");
return OK;
