---------------------------- Original Message ---------------------------- Subject: Re: [HEADS UP] Default value of SELinux boolean httpd_graceful_shutdown will changed. From: "Lukas Vrabec" <lvrabec at redhat.com> Date: Fri, September 29, 2017 10:26 To: devel at lists.fedoraproject.org "Selinux List at Fedora Project" <selinux at lists.fedoraproject.org> -------------------------------------------------------------------------- On 09/29/2017 03:57 PM, Alexander Bokovoy wrote: > On pe, 29 syys 2017, Lukas Vrabec wrote: >> I'm planning change the default value of httpd_graceful_shutdown >> boolean in Fedora Rawhide because of improving SELinux configuration. >> Rawhide builds with this change will be available in ~5 days. >> >> Together with Dan Walsh, we agreed on that httpd_graceful_shutdown >> boolean should be by default turned off. This boolean allows HTTPD to >> connect to port 80 for graceful shutdown, but it's breaking the >> functionality of another boolean called: httpd_can_network_connect. >> This boolean allows HTTPD scripts and modules to connect to the >> network using TCP and it's turned off by default. >> >> Turning this boolean off can cause some troubles, on web-servers where >> processes with httpd_t SELinux domain connecting to tcp ports: 80, 81, >> 443, 488, 8008, 8009, 8443, 9000 >> >> If you would like to turn in on again, use semanage command: >> # semanage boolean -m --on httpd_graceful_shutdown > In FreeIPA we have httpd_can_network_connect enabled. I just checked a F26 > system and I have both booleans enabled. > > # getsebool -a|egrep 'httpd_graceful_shutdown|httpd_can_network_connect ' > httpd_can_network_connect --> on > httpd_graceful_shutdown --> on > > So I'm a bit confused: disabling httpd_graceful_shutdown will have or > wouldn't have an effect on httpd_can_network_connect being enabled? > httpd_graceful_shutdown is subset of httpd_can_network_connect. Turning on httpd_graceful_shutdown you allow httpd_t domain connecting just to ports labeled as httpd_port_t. Turning on httpd_can_network_connect you allow httpd_t domain connecting to all ports from SELinux POV. Right now, we ship selinux-policy with httpd_graceful_shutdown turned on and httpd_can_network_connect turned off. But it's confusing for users because they have httpd_can_connect turned off but httpd_t domain can still connect co http_port_t ports becuase of httpd_gracefull_shudown. I hope it's more clear now. > Do I need to do anything in FreeIPA setup? > No if httpd_can_network_connect is enabled during FreeIPA setup, you don't need to change anything. Lukas. -- Lukas Vrabec Software Engineer, Security Technologies Red Hat, Inc. _______________________________________________ selinux mailing list -- selinux at lists.fedoraproject.org To unsubscribe send an email to selinux-leave at lists.fedoraproject.org