On 09/29/2017 04:39 PM, Alexander Bokovoy wrote:
On pe, 29 syys 2017, Lukas Vrabec wrote:
On 09/29/2017 03:57 PM, Alexander Bokovoy wrote:
On pe, 29 syys 2017, Lukas Vrabec wrote:
I'm planning change the default value of httpd_graceful_shutdown
boolean in Fedora Rawhide because of improving SELinux
configuration. Rawhide builds with this change will be available in
~5 days.
Together with Dan Walsh, we agreed on that httpd_graceful_shutdown
boolean should be by default turned off. This boolean allows HTTPD
to connect to port 80 for graceful shutdown, but it's breaking the
functionality of another boolean called: httpd_can_network_connect.
This boolean allows HTTPD scripts and modules to connect to the
network using TCP and it's turned off by default.
Turning this boolean off can cause some troubles, on web-servers
where processes with httpd_t SELinux domain connecting to tcp ports:
80, 81, 443, 488, 8008, 8009, 8443, 9000
If you would like to turn in on again, use semanage command:
# semanage boolean -m --on httpd_graceful_shutdown
In FreeIPA we have httpd_can_network_connect enabled. I just checked
a F26
system and I have both booleans enabled.
# getsebool -a|egrep
'httpd_graceful_shutdown|httpd_can_network_connect '
httpd_can_network_connect --> on
httpd_graceful_shutdown --> on
So I'm a bit confused: disabling httpd_graceful_shutdown will have or
wouldn't have an effect on httpd_can_network_connect being enabled?
httpd_graceful_shutdown is subset of httpd_can_network_connect.
Turning on httpd_graceful_shutdown you allow httpd_t domain connecting
just to ports labeled as httpd_port_t.
Turning on httpd_can_network_connect you allow httpd_t domain
connecting to all ports from SELinux POV.
Right now, we ship selinux-policy with httpd_graceful_shutdown turned
on and httpd_can_network_connect turned off. But it's confusing for
users because they have httpd_can_connect turned off but httpd_t
domain can still connect co http_port_t ports becuase of
httpd_gracefull_shudown.
I hope it's more clear now.
Yes, thanks.
We need to use httpd_can_connect because we need to connect to ports
that chosen randomly by a remote side thanks to a port-mapping feature
of DCE RPC protocol stack.
In that case you are using httpd_can_network_connect correctly.
Lukas.
--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
