On pe, 29 syys 2017, Lukas Vrabec wrote:
I'm planning change the default value of httpd_graceful_shutdown
boolean in Fedora Rawhide because of improving SELinux configuration.
Rawhide builds with this change will be available in ~5 days.
Together with Dan Walsh, we agreed on that httpd_graceful_shutdown
boolean should be by default turned off. This boolean allows HTTPD to
connect to port 80 for graceful shutdown, but it's breaking the
functionality of another boolean called: httpd_can_network_connect.
This boolean allows HTTPD scripts and modules to connect to the
network using TCP and it's turned off by default.
Turning this boolean off can cause some troubles, on web-servers where
processes with httpd_t SELinux domain connecting to tcp ports: 80, 81,
443, 488, 8008, 8009, 8443, 9000
If you would like to turn in on again, use semanage command:
# semanage boolean -m --on httpd_graceful_shutdown
In FreeIPA we have httpd_can_network_connect enabled. I just checked a F26
system and I have both booleans enabled.
# getsebool -a|egrep 'httpd_graceful_shutdown|httpd_can_network_connect '
httpd_can_network_connect --> on
httpd_graceful_shutdown --> on
So I'm a bit confused: disabling httpd_graceful_shutdown will have or
wouldn't have an effect on httpd_can_network_connect being enabled?
Do I need to do anything in FreeIPA setup?
--
/ Alexander Bokovoy
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
