On Wed, Aug 02, 2017 at 04:41:00PM +0100, Carlos Rodrigues wrote:
> Hi,
>
> I don't know if this a too basic question to ask here, or the proper
> place, but here it goes:
>
> I've been chasing some weird (to me) behavior with the targeted policy
> on a VM running nginx as a reverse proxy. What happens is that the
> "httpd_can_network_connect" boolean needs to be enabled for nginx to
> be able to reach its upstream servers. So far, so good.
>
> However, if the upsteam server happens to be listening in one of the
> "http_port_t" ports, "httpd_can_network_connect" isn't needed because
> the "httpd_graceful_shutdown" (default enabled) provides the required
> allow rule ("name_connect").
>
> This seems strange to me. Is this supposed to be like this? I would
> expect nginx to be totally unable to establish outbound connections by
> default.
>
> Best regards,
>
> Carlos Rodrigues
>
> PS: I just spent a few hours on this, wondering why one machine needed
> "httpd_can_network_connect" and another did not. I guess I've mostly
> been setting up reverse proxies for "http_port_t" upstreams on CentOS
> all this time...
I think the "httpd_graceful_shutdown" is an apache thing (probably for "apachectl graceful-stop"). However I cannot reproduce this behavior with httpd-2.4.27-4.fc27.
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
Attachment:
signature.asc
Description: PGP signature
