Bug 1034709

Summary: 'setsebool -P httpd_can_network_connect 1' doesn't work
Product: [Fedora] Fedora Reporter: Jan Synacek <jsynacek>
Component: policycoreutilsAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: dwalsh, herrold, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-28 10:08:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
strace none

Description Jan Synacek 2013-11-26 11:32:27 UTC
Description of problem:
Setting selinux boolean (httpd_can_network_connect) permanently does not work.


Version-Release number of selected component (if applicable):
policycoreutils-2.2.3-1.fc21.x86_64
selinux-policy-3.13.1-5.fc21.noarch
libselinux-2.2-1.fc21.x86_64


Steps to Reproduce:
1. # semanage boolean --list | grep httpd_can_network_connect
...
httpd_can_network_connect      (off  ,  off)  Allow HTTPD scripts and modules to connect to the network using TCP.
...

2. # setsebool -P httpd_can_network_connect 1
<no output>

3. # echo $?
255

4. same as step n.1


Actual results:
The boolean is not set permanently.


Expected results:
The boolean is set permanently.


Additional info:
Setting the boolean without -P works as expected.

Comment 1 Daniel Walsh 2013-11-26 19:45:35 UTC
It is working for me.

#  setsebool -P httpd_can_network_connect 1
# getsebool httpd_can_network_connect
httpd_can_network_connect --> on
# semanage boolean --list | grep httpd_can_network_connect
httpd_can_network_connect_db   (off  ,  off)  Allow HTTPD scripts and modules to connect to databases over the network.
httpd_can_network_connect      (on   ,   on)  Allow HTTPD scripts and modules to connect to the network using TCP.
httpd_can_network_connect_cobbler (off  ,  off)  Allow HTTPD scripts and modules to connect to cobbler over the network.


rpm -q policycoreutils libselinux selinux-policy
policycoreutils-2.2.3-1.fc21.x86_64
libselinux-2.2-1.fc21.x86_64
selinux-policy-3.13.1-6.fc21.noarch

Comment 2 Jan Synacek 2013-11-27 08:21:09 UTC
Created attachment 829609 [details]
strace

Comment 3 Jan Synacek 2013-11-27 08:22:30 UTC
Any idea what might be wrong? I tried other booleans and they weren't set as well.

Comment 4 Miroslav Grepl 2013-11-27 10:02:19 UTC
Did you test it in permissive mode? Any chance you are getting AVC msgs? Also could you try to use the latest rawhide policy?

selinux-policy-targeted-3.13.1-6.fc21.noarch

Comment 5 Jan Synacek 2013-11-27 10:26:08 UTC
I tried in permissive as well and I'm not getting any AVCs either.

Comment 6 Jan Synacek 2013-11-27 10:29:41 UTC
Nothing with selinux-policy-targeted-3.13.1-6.fc21.noarch as well.

Comment 7 Daniel Walsh 2013-11-27 13:41:30 UTC
Does 

semodule -B

Fail?

Comment 8 Daniel Walsh 2013-11-27 13:44:37 UTC
Jan also you could try to reinstall selinux-policy-targeted

yum reinstall selinux-policy-targeted

Comment 9 Jan Synacek 2013-11-28 07:48:33 UTC
Reinstalling selinux-policy-targeted doesn't help.

However, semodule -B fails:

# semodule -B
libsepol.permission_copy_callback: Module logicalfile depends on permission kill in class service, not satisfied (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!

# echo $?
1

The module logicalfile probably controls rights for 'openlmi-logicalfile' package, which is not installed. But I do have some symlinks at places that installation of the package would populate, because I'm using a git version. Can that be a problem?

Comment 10 Miroslav Grepl 2013-11-28 09:28:23 UTC
You need to re-compile this module. Please do

# semodule -r logicalfile
# yum reinstall selinux-policy-targeted

and then you can recompile/reload logicalfile.pp. Btw. how does the logicalfile policy look? We should have it in the policy.

Comment 11 Jan Synacek 2013-11-28 09:54:50 UTC
So I did:

# semodule -r logicalfile

# yum reinstall selinux-policy-targeted
...
<ok>

# semodule -B

# setsebool -P httpd_can_network_connect 1

# semanage boolean --list | grep httpd_can_network_connect
...
httpd_can_network_connect      (on   ,   on)  Allow HTTPD scripts and modules to connect to the network using TCP.
...

Seems to be working now, thanks for the help! I guess this bug can be closed as NOTABUG/WORKSFORME.