Hi,
I don't know if this a too basic question to ask here, or the proper
place, but here it goes:
I've been chasing some weird (to me) behavior with the targeted policy
on a VM running nginx as a reverse proxy. What happens is that the
"httpd_can_network_connect" boolean needs to be enabled for nginx to
be able to reach its upstream servers. So far, so good.
However, if the upsteam server happens to be listening in one of the
"http_port_t" ports, "httpd_can_network_connect" isn't needed because
the "httpd_graceful_shutdown" (default enabled) provides the required
allow rule ("name_connect").
This seems strange to me. Is this supposed to be like this? I would
expect nginx to be totally unable to establish outbound connections by
default.
Best regards,
Carlos Rodrigues
PS: I just spent a few hours on this, wondering why one machine needed
"httpd_can_network_connect" and another did not. I guess I've mostly
been setting up reverse proxies for "http_port_t" upstreams on CentOS
all this time...
