I'm planning change the default value of httpd_graceful_shutdown boolean in Fedora Rawhide because of improving SELinux configuration. Rawhide builds with this change will be available in ~5 days.
Together with Dan Walsh, we agreed on that httpd_graceful_shutdown boolean should be by default turned off. This boolean allows HTTPD to connect to port 80 for graceful shutdown, but it's breaking the functionality of another boolean called: httpd_can_network_connect. This boolean allows HTTPD scripts and modules to connect to the network using TCP and it's turned off by default.
Turning this boolean off can cause some troubles, on web-servers where processes with httpd_t SELinux domain connecting to tcp ports: 80, 81, 443, 488, 8008, 8009, 8443, 9000
If you would like to turn in on again, use semanage command: # semanage boolean -m --on httpd_graceful_shutdown
If you have any questions, feel free to contact me. Lukas.
On 09/29/2017 03:30 PM, Lukas Vrabec wrote:
I'm planning change the default value of httpd_graceful_shutdown boolean in Fedora Rawhide because of improving SELinux configuration. Rawhide builds with this change will be available in ~5 days.
Together with Dan Walsh, we agreed on that httpd_graceful_shutdown boolean should be by default turned off. This boolean allows HTTPD to connect to port 80 for graceful shutdown, but it's breaking the functionality of another boolean called: httpd_can_network_connect. This boolean allows HTTPD scripts and modules to connect to the network using TCP and it's turned off by default.
Turning this boolean off can cause some troubles, on web-servers where processes with httpd_t SELinux domain connecting to tcp ports: 80, 81, 443, 488, 8008, 8009, 8443, 9000
If you would like to turn in on again, use semanage command: # semanage boolean -m --on httpd_graceful_shutdown
If you have any questions, feel free to contact me. Lukas.
Build selinux-policy-3.13.1-291.fc28 was completed in koji. This build contains also changed default value of httpd_graceful_shutdown boolean.
Lukas.
selinux@lists.fedoraproject.org