When running in strict mode, SELinux would not let me start HTTPD since my mod_jk.so module was copied from an external server.
I copied mod_jk.so externally since I couldn't find the package to install it.
But, now, in order to run HTTPD, I need to put SELinux in Permissive mode.
I read on the wiki that I could add a custom policy to allow this mod_jk.so to be used.
Is this the recommended way so that I can use my external mod_jk.so file?
List the current security context of the file:
# ls -lrtZ /full/path/to/mod_jk.so
Compare the output with the expected context for that path:
# matchpathcon /full/path/to/mod_jk.so
Restore the expected security context of the file:
# restorecon -v /full/path/to/mod_jk.so
Restart the web server and check for new AVC denials:
# ausearch -m avc -ts recent
Ran across this same issue on a Centos 7 machine with HTTPD 2.4. Took me a while, but dug up an old redhat bug report from 2007 (https://bugzilla.redhat.com/show_bug.cgi?id=225452) which solved it.
The solution (in my case):
Modify your jk.conf file in /etc/httpd/conf.d/ to write the Shm Files to /var/run/mod_jk instead of /var/log/httpd/mod_jk.shm e.g.
JkWorkersFile /etc/httpd/conf.d/workers.properties
JkShmFile /var/run/mod_jk
JkLogFile /var/log/httpd/mod_jk.log
JkLogLevel info
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
No need to set SELinux to permissive
By this command i am able to run mod_jk in httpd:
# grep httpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
