mod_systemd: if SELinux is available and enabled, log the SELinux

context at startup, since this may vary when httpd is started via
systemd vs being started directly.

* modules/arch/unix/mod_systemd.c (systemd_post_config):
  Do nothing for the pre-config iteration.
  Log the SELinux context if available.

* modules/arch/unix/config5.m4: Detect libselinux.

Have at least one CI job build mod_systemd.

Github: closes #422

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1916344 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
index 5a2c6aee94f9e742630f1f37df47f4fe6fe3c07e..f98c9ebc39f7d1cf4c618cc085c1691a1f7a687e 100644 (file)
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -246,7 +246,8 @@ jobs:
               TEST_INSTALL=1
               TEST_MOD_TLS=1
           - name: Configured w/reduced exports
-            config: --enable-reduced-exports --enable-maintainer-mode
+            config: --enable-reduced-exports --enable-maintainer-mode --enable-systemd
+            pkgs: libsystemd-dev
             env: |
               SKIP_TESTING=1
               TEST_INSTALL=1

diff --git a/changes-entries/systemd-selinux.patch b/changes-entries/systemd-selinux.patch
new file mode 100644 (file)
index 0000000..154dfba
--- /dev/null
+++ b/changes-entries/systemd-selinux.patch
@@ -0,0 +1,2 @@
+  *) mod_systemd: Log the SELinux context at startup if available and
+     enabled.  [Joe Orton]

diff --git a/modules/arch/unix/config5.m4 b/modules/arch/unix/config5.m4
index 9351fca593b7977025951c8af69945fcb528e1b8..6544ae6a8795da3c75c2e4ca766a77c2e14de1f2 100644 (file)
--- a/modules/arch/unix/config5.m4
+++ b/modules/arch/unix/config5.m4
@@ -25,6 +25,11 @@ APACHE_MODULE(systemd, Systemd support, , , no, [
     AC_MSG_WARN([Your system does not support systemd.])
     enable_systemd="no"
   else
+    AC_CHECK_LIB(selinux, is_selinux_enabled, [
+      AC_DEFINE(HAVE_SELINUX, 1, [Defined if SELinux is supported])
+      APR_ADDTO(MOD_SYSTEMD_LDADD, [-lselinux])
+    ])
+
     APR_ADDTO(MOD_SYSTEMD_LDADD, [$SYSTEMD_LIBS])
   fi
 ])

diff --git a/modules/arch/unix/mod_systemd.c b/modules/arch/unix/mod_systemd.c
index 2de1c9befdc4bfc9a90f37e9b3669d53a868e03b..22482fd6bbcef54beb5fe07aab295ca4eb590225 100644 (file)
--- a/modules/arch/unix/mod_systemd.c
+++ b/modules/arch/unix/mod_systemd.c
@@ -29,6 +29,10 @@
 #include "scoreboard.h"
 #include "mpm_common.h"
 
+#ifdef HAVE_SELINUX
+#include <selinux/selinux.h>
+#endif
+
 #include "systemd/sd-daemon.h"
 
 #if APR_HAVE_UNISTD_H
@@ -45,6 +49,20 @@ static int systemd_pre_config(apr_pool_t *pconf, apr_pool_t *plog,
     return OK;
 }
 
+#ifdef HAVE_SELINUX
+static void log_selinux_context(void)
+{
+    char *con;
+
+    if (is_selinux_enabled() && getcon(&con) == 0) {
+        ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
+                     APLOGNO(10497) "SELinux is enabled; "
+                     "httpd running as context %s", con);
+        freecon(con);
+    }
+}
+#endif
+
 /* Report the service is ready in post_config, which could be during
  * startup or after a reload.  The server could still hit a fatal
  * startup error after this point during ap_run_mpm(), so this is
@@ -52,9 +70,16 @@ static int systemd_pre_config(apr_pool_t *pconf, apr_pool_t *plog,
  * the TCP ports so new connections will not be rejected.  There will
  * always be a possible async failure event simultaneous to the
  * service reporting "ready", so this should be good enough. */
-static int systemd_post_config(apr_pool_t *p, apr_pool_t *plog,
+static int systemd_post_config(apr_pool_t *pconf, apr_pool_t *plog,
                                apr_pool_t *ptemp, server_rec *main_server)
 {
+    if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG)
+        return OK;
+
+#ifdef HAVE_SELINUX
+    log_selinux_context();
+#endif
+
     sd_notify(0, "READY=1\n"
               "STATUS=Configuration loaded.\n");
     return OK;