Hide Forgot
Description of problem: Setting selinux boolean (httpd_can_network_connect) permanently does not work. Version-Release number of selected component (if applicable): policycoreutils-2.2.3-1.fc21.x86_64 selinux-policy-3.13.1-5.fc21.noarch libselinux-2.2-1.fc21.x86_64 Steps to Reproduce: 1. # semanage boolean --list | grep httpd_can_network_connect ... httpd_can_network_connect (off , off) Allow HTTPD scripts and modules to connect to the network using TCP. ... 2. # setsebool -P httpd_can_network_connect 1 <no output> 3. # echo $? 255 4. same as step n.1 Actual results: The boolean is not set permanently. Expected results: The boolean is set permanently. Additional info: Setting the boolean without -P works as expected.
It is working for me. # setsebool -P httpd_can_network_connect 1 # getsebool httpd_can_network_connect httpd_can_network_connect --> on # semanage boolean --list | grep httpd_can_network_connect httpd_can_network_connect_db (off , off) Allow HTTPD scripts and modules to connect to databases over the network. httpd_can_network_connect (on , on) Allow HTTPD scripts and modules to connect to the network using TCP. httpd_can_network_connect_cobbler (off , off) Allow HTTPD scripts and modules to connect to cobbler over the network. rpm -q policycoreutils libselinux selinux-policy policycoreutils-2.2.3-1.fc21.x86_64 libselinux-2.2-1.fc21.x86_64 selinux-policy-3.13.1-6.fc21.noarch
Created attachment 829609 [details] strace
Any idea what might be wrong? I tried other booleans and they weren't set as well.
Did you test it in permissive mode? Any chance you are getting AVC msgs? Also could you try to use the latest rawhide policy? selinux-policy-targeted-3.13.1-6.fc21.noarch
I tried in permissive as well and I'm not getting any AVCs either.
Nothing with selinux-policy-targeted-3.13.1-6.fc21.noarch as well.
Does semodule -B Fail?
Jan also you could try to reinstall selinux-policy-targeted yum reinstall selinux-policy-targeted
Reinstalling selinux-policy-targeted doesn't help. However, semodule -B fails: # semodule -B libsepol.permission_copy_callback: Module logicalfile depends on permission kill in class service, not satisfied (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed! # echo $? 1 The module logicalfile probably controls rights for 'openlmi-logicalfile' package, which is not installed. But I do have some symlinks at places that installation of the package would populate, because I'm using a git version. Can that be a problem?
You need to re-compile this module. Please do # semodule -r logicalfile # yum reinstall selinux-policy-targeted and then you can recompile/reload logicalfile.pp. Btw. how does the logicalfile policy look? We should have it in the policy.
So I did: # semodule -r logicalfile # yum reinstall selinux-policy-targeted ... <ok> # semodule -B # setsebool -P httpd_can_network_connect 1 # semanage boolean --list | grep httpd_can_network_connect ... httpd_can_network_connect (on , on) Allow HTTPD scripts and modules to connect to the network using TCP. ... Seems to be working now, thanks for the help! I guess this bug can be closed as NOTABUG/WORKSFORME.