[CentOS] [Fwd: Re: [HEADS UP] Default value of SELinux boolean httpd_graceful_shutdown will changed.]

Fri Sep 29 15:13:01 UTC 2017
m.roth at 5-cent.us <m.roth at 5-cent.us>

---------------------------- Original Message ----------------------------
Subject: Re: [HEADS UP] Default value of SELinux boolean
httpd_graceful_shutdown will changed.
From:    "Lukas Vrabec" <lvrabec at redhat.com>
Date:    Fri, September 29, 2017 10:26
To:      devel at lists.fedoraproject.org
         "Selinux List at Fedora Project" <selinux at lists.fedoraproject.org>

On 09/29/2017 03:57 PM, Alexander Bokovoy wrote:
> On pe, 29 syys 2017, Lukas Vrabec wrote:
>> I'm planning change the default value of httpd_graceful_shutdown
>> boolean in Fedora Rawhide because of improving SELinux configuration.
>> Rawhide builds with this change will be available in ~5 days.
>> Together with Dan Walsh, we agreed on that httpd_graceful_shutdown
>> boolean should be by default turned off. This boolean allows HTTPD to
>> connect to port 80 for graceful shutdown, but it's breaking the
>> functionality of another boolean called: httpd_can_network_connect.
>> This boolean allows HTTPD scripts and modules to connect to the
>> network using TCP and it's turned off by default.
>> Turning this boolean off can cause some troubles, on web-servers where
>> processes with httpd_t SELinux domain connecting to tcp ports: 80, 81,
>> 443, 488, 8008, 8009, 8443, 9000
>> If you would like to turn in on again, use semanage command:
>> # semanage boolean -m --on httpd_graceful_shutdown
> In FreeIPA we have httpd_can_network_connect enabled. I just checked a F26
> system and I have both booleans enabled.
> # getsebool -a|egrep 'httpd_graceful_shutdown|httpd_can_network_connect '
> httpd_can_network_connect --> on
> httpd_graceful_shutdown --> on
> So I'm a bit confused: disabling httpd_graceful_shutdown will have or
> wouldn't have an effect on httpd_can_network_connect being enabled?

httpd_graceful_shutdown is subset of httpd_can_network_connect.

Turning on httpd_graceful_shutdown you allow httpd_t domain connecting
just to ports labeled as httpd_port_t.
Turning on httpd_can_network_connect you allow httpd_t domain connecting
to all ports from SELinux POV.

Right now, we ship selinux-policy with httpd_graceful_shutdown turned on
and httpd_can_network_connect turned off. But it's confusing for users
because they have httpd_can_connect turned off but httpd_t domain can
still connect co http_port_t ports becuase of httpd_gracefull_shudown.

I hope it's more clear now.

> Do I need to do anything in FreeIPA setup?
No if httpd_can_network_connect is enabled during FreeIPA setup, you
don't need to change anything.


Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.
selinux mailing list -- selinux at lists.fedoraproject.org
To unsubscribe send an email to selinux-leave at lists.fedoraproject.org