| Summary: | 'setsebool -P httpd_can_network_connect 1' doesn't work | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jan Synacek <jsynacek> | ||||
| Component: | policycoreutils | Assignee: | Daniel Walsh <dwalsh> | ||||
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | rawhide | CC: | dwalsh, herrold, mgrepl | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2013-11-28 10:08:51 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
|
Description
Jan Synacek
2013-11-26 11:32:27 UTC
It is working for me. # setsebool -P httpd_can_network_connect 1 # getsebool httpd_can_network_connect httpd_can_network_connect --> on # semanage boolean --list | grep httpd_can_network_connect httpd_can_network_connect_db (off , off) Allow HTTPD scripts and modules to connect to databases over the network. httpd_can_network_connect (on , on) Allow HTTPD scripts and modules to connect to the network using TCP. httpd_can_network_connect_cobbler (off , off) Allow HTTPD scripts and modules to connect to cobbler over the network. rpm -q policycoreutils libselinux selinux-policy policycoreutils-2.2.3-1.fc21.x86_64 libselinux-2.2-1.fc21.x86_64 selinux-policy-3.13.1-6.fc21.noarch Created attachment 829609 [details]
strace
Any idea what might be wrong? I tried other booleans and they weren't set as well. Did you test it in permissive mode? Any chance you are getting AVC msgs? Also could you try to use the latest rawhide policy? selinux-policy-targeted-3.13.1-6.fc21.noarch I tried in permissive as well and I'm not getting any AVCs either. Nothing with selinux-policy-targeted-3.13.1-6.fc21.noarch as well. Does semodule -B Fail? Jan also you could try to reinstall selinux-policy-targeted yum reinstall selinux-policy-targeted Reinstalling selinux-policy-targeted doesn't help. However, semodule -B fails: # semodule -B libsepol.permission_copy_callback: Module logicalfile depends on permission kill in class service, not satisfied (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed! # echo $? 1 The module logicalfile probably controls rights for 'openlmi-logicalfile' package, which is not installed. But I do have some symlinks at places that installation of the package would populate, because I'm using a git version. Can that be a problem? You need to re-compile this module. Please do # semodule -r logicalfile # yum reinstall selinux-policy-targeted and then you can recompile/reload logicalfile.pp. Btw. how does the logicalfile policy look? We should have it in the policy. So I did: # semodule -r logicalfile # yum reinstall selinux-policy-targeted ... <ok> # semodule -B # setsebool -P httpd_can_network_connect 1 # semanage boolean --list | grep httpd_can_network_connect ... httpd_can_network_connect (on , on) Allow HTTPD scripts and modules to connect to the network using TCP. ... Seems to be working now, thanks for the help! I guess this bug can be closed as NOTABUG/WORKSFORME. |