Bug 1034709 - 'setsebool -P httpd_can_network_connect 1' doesn't work
Summary: 'setsebool -P httpd_can_network_connect 1' doesn't work
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: policycoreutils
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-11-26 11:32 UTC by Jan Synacek
Modified: 2017-08-31 19:35 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-11-28 10:08:51 UTC
Type: Bug


Attachments (Terms of Use)
strace (127.82 KB, application/x-xz)
2013-11-27 08:21 UTC, Jan Synacek
no flags Details

Description Jan Synacek 2013-11-26 11:32:27 UTC
Description of problem:
Setting selinux boolean (httpd_can_network_connect) permanently does not work.


Version-Release number of selected component (if applicable):
policycoreutils-2.2.3-1.fc21.x86_64
selinux-policy-3.13.1-5.fc21.noarch
libselinux-2.2-1.fc21.x86_64


Steps to Reproduce:
1. # semanage boolean --list | grep httpd_can_network_connect
...
httpd_can_network_connect      (off  ,  off)  Allow HTTPD scripts and modules to connect to the network using TCP.
...

2. # setsebool -P httpd_can_network_connect 1
<no output>

3. # echo $?
255

4. same as step n.1


Actual results:
The boolean is not set permanently.


Expected results:
The boolean is set permanently.


Additional info:
Setting the boolean without -P works as expected.

Comment 1 Daniel Walsh 2013-11-26 19:45:35 UTC
It is working for me.

#  setsebool -P httpd_can_network_connect 1
# getsebool httpd_can_network_connect
httpd_can_network_connect --> on
# semanage boolean --list | grep httpd_can_network_connect
httpd_can_network_connect_db   (off  ,  off)  Allow HTTPD scripts and modules to connect to databases over the network.
httpd_can_network_connect      (on   ,   on)  Allow HTTPD scripts and modules to connect to the network using TCP.
httpd_can_network_connect_cobbler (off  ,  off)  Allow HTTPD scripts and modules to connect to cobbler over the network.


rpm -q policycoreutils libselinux selinux-policy
policycoreutils-2.2.3-1.fc21.x86_64
libselinux-2.2-1.fc21.x86_64
selinux-policy-3.13.1-6.fc21.noarch

Comment 2 Jan Synacek 2013-11-27 08:21:09 UTC
Created attachment 829609 [details]
strace

Comment 3 Jan Synacek 2013-11-27 08:22:30 UTC
Any idea what might be wrong? I tried other booleans and they weren't set as well.

Comment 4 Miroslav Grepl 2013-11-27 10:02:19 UTC
Did you test it in permissive mode? Any chance you are getting AVC msgs? Also could you try to use the latest rawhide policy?

selinux-policy-targeted-3.13.1-6.fc21.noarch

Comment 5 Jan Synacek 2013-11-27 10:26:08 UTC
I tried in permissive as well and I'm not getting any AVCs either.

Comment 6 Jan Synacek 2013-11-27 10:29:41 UTC
Nothing with selinux-policy-targeted-3.13.1-6.fc21.noarch as well.

Comment 7 Daniel Walsh 2013-11-27 13:41:30 UTC
Does 

semodule -B

Fail?

Comment 8 Daniel Walsh 2013-11-27 13:44:37 UTC
Jan also you could try to reinstall selinux-policy-targeted

yum reinstall selinux-policy-targeted

Comment 9 Jan Synacek 2013-11-28 07:48:33 UTC
Reinstalling selinux-policy-targeted doesn't help.

However, semodule -B fails:

# semodule -B
libsepol.permission_copy_callback: Module logicalfile depends on permission kill in class service, not satisfied (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!

# echo $?
1

The module logicalfile probably controls rights for 'openlmi-logicalfile' package, which is not installed. But I do have some symlinks at places that installation of the package would populate, because I'm using a git version. Can that be a problem?

Comment 10 Miroslav Grepl 2013-11-28 09:28:23 UTC
You need to re-compile this module. Please do

# semodule -r logicalfile
# yum reinstall selinux-policy-targeted

and then you can recompile/reload logicalfile.pp. Btw. how does the logicalfile policy look? We should have it in the policy.

Comment 11 Jan Synacek 2013-11-28 09:54:50 UTC
So I did:

# semodule -r logicalfile

# yum reinstall selinux-policy-targeted
...
<ok>

# semodule -B

# setsebool -P httpd_can_network_connect 1

# semanage boolean --list | grep httpd_can_network_connect
...
httpd_can_network_connect      (on   ,   on)  Allow HTTPD scripts and modules to connect to the network using TCP.
...

Seems to be working now, thanks for the help! I guess this bug can be closed as NOTABUG/WORKSFORME.


Note You need to log in before you can comment on or make changes to this bug.