Ok, well, I am posting this information to this list in this thread because we kind of got started down the path of SELinux. Fedora Core3 comes with a feature called Security Enhanced Linux. This is a security feature that you may or may not want to have on your server. I chose to enable it, so that is why I am posting this information. The main reason for using SELinux is to have finer grain control over what your processes are doing and how they are doing them. Also this information is output to the logs and is great for auditing. I highly recommend taking the time to read about SELinux if your distro supports it.
First of all, I have Apache + Mod_jk on one machine and then tomcat on a separate machine. When I upgraded to SELinux Policy 18, I noticed that apache would not communicate with tomcat using the ajp13 connector. So what do you do? Well you can: 1. Disable SELinux for apache by going into the gui security level settings tool. You have to have a gui installed for this to work. 2. Disable SELinux entirely. Google for this, I can not remember how to do it. 3. Configure your SELinux policy to allow Apache+Mod_JK to work. You can do this my using the audit2allow tool. You also need the selinux-policy-targeted-sources package. Just do a: yum install selinux-policy-targeted-sources audit2allow -d allow httpd_t httpd_log_t:file write; allow httpd_t self:tcp_socket connect; allow mysqld_t ld_so_cache_t:file execute; allow unconfined_t httpd_t:file relabelto; The content above needs to be placed in /etc/selinux/targeted/src/domains/program/apache.te I had to comment out the last two lines because I was not interested in enabling them. The manual on SELinux clearly indicates to analyze the output of audit2allow carefully. Next, cd into the /etc/selinux/targeted/src directory and do: make policy make install make reload Then restart apache and it may work, or it may not. Randall -----Original Message----- From: Randall Svancara [mailto:[EMAIL PROTECTED] Sent: Monday, June 20, 2005 10:29 AM To: Tomcat Users List Subject: RE: mod_jk works as localhost only Just another side note to this thread. I was applying the SELinux Security Policy patch to my fedora core 3 box today and it broke my apache + mod_jk + tomcat installation. The fedora team must of changed the Security Enhanced Linux Policy preventing mod_jk connecting to an external tomcat server. Policy.18 is the culprit I am sure of it. I will research this some more. But for right now, you will have to turn off SELinux for the httpd daemon. This is easy to do with the GUI tools provided in the security level settings under the SELinux tab. -----Original Message----- From: Randall Svancara [mailto:[EMAIL PROTECTED] Sent: Friday, June 17, 2005 9:43 AM To: Tomcat Users List; naidim Subject: RE: mod_jk works as localhost only Is it possible for you to send us your mod_jk configuration along with your workers.properties(if you have one)? Randall -----Original Message----- From: naidim [mailto:[EMAIL PROTECTED] Sent: Thursday, June 16, 2005 12:41 PM To: Tomcat Users List Subject: mod_jk works as localhost only I'm running Apache2.0.52 and Tomcat 5.5.9 on FC3. Both work fine locally and remotely. mod_jk is configured but it only works as localhost. Browsing by name or IP fails to find the files in the webapp directory. What do I need to change so it finds them when browseing remotely? Thanks --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
