Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1168044

Summary: Httpd policy allows tcp_connect on 80:443 by default
Product: Red Hat Enterprise Linux 7 Reporter: William Brown <william>
Component: policycoreutilsAssignee: Petr Lautrbach <plautrba>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: dwalsh, eparis, jorton, lvrabec, mgrepl, mmalik, plautrba, pmoore, pvrabec, ssekidde, vmojzis
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
: 1292744 1292745 (view as bug list) Environment:
Last Closed: 2017-10-23 11:36:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1292744, 1292745    

Description William Brown 2014-11-25 23:39:40 UTC 
Description of problem:
sesearch -s httpd_t -t http_port_t -A -C

ET allow httpd_t http_port_t : tcp_socket name_connect ; [ httpd_graceful_shutdown ]


This is on by default. This allows the apache process to connect out on 80/443 by default, which may allow an attacker to create a network connection.

httpd_graceful_shutdown should either limit this connection to localhost, or not allow this rule.
Comment 2 Milos Malik 2014-11-26 07:36:16 UTC 
I can confirm that:

# rpm -qa selinux-policy\*
selinux-policy-3.13.1-11.el7.noarch
selinux-policy-targeted-3.13.1-11.el7.noarch
# semanage boolean -l | grep httpd_graceful_shutdown
httpd_graceful_shutdown        (on   ,   on)  Allow HTTPD to connect to port 80 for graceful shutdown
#  sesearch -s httpd_t -t http_port_t -c tcp_socket -p name_connect -A -C
Found 4 semantic av rules:
ET allow httpd_t http_port_t : tcp_socket name_connect ; [ httpd_graceful_shutdown ]
DT allow httpd_t http_port_t : tcp_socket name_connect ; [ httpd_can_network_relay ]
DT allow nsswitch_domain reserved_port_type : tcp_socket name_connect ; [ nis_enabled ]
DT allow httpd_t port_type : tcp_socket name_connect ; [ httpd_can_network_connect ]
#

Other booleans are disabled by default.
Comment 3 Miroslav Grepl 2014-12-02 13:19:41 UTC 
I believe there was a reason.

Dan,
do you remember?
Comment 4 Daniel Walsh 2014-12-02 20:30:21 UTC 
apachectl gracefull I believe causes
the apache server to connect to itself to shut itself down.

Over the years I have tried to get policy to fix the name_connect to take the IP Address into account (localhost) but we have never gotten the code written for this.

I would prefer not to have this boolean turned on for security purposes, but the httpd people complained about breakage.
Comment 5 Miroslav Grepl 2014-12-02 20:40:02 UTC 
Ah, yes. 

AFAIK there was a bug where we discussed it with Joe.
Comment 6 Joe Orton 2014-12-03 08:58:26 UTC 
"Fixed In Version: jorton", well that made me laugh :)

Yes, you remember right.  Strictly, httpd needs to be able to connect to any (addr, port) on which it has bound, listening sockets; "localhost" is not exactly what is required, unless that is taken to mean any addr/port on the local host.

This is used to pop children out of poll() loops during graceful restart and stop; if those connections are denied the httpd parent will spam the error log a lot.

Previous discussion at bug 757747, also bug 812926, probably others...
Comment 7 Paul Moore 2014-12-03 14:30:21 UTC 
Somewhere around here I have some proof of concept kernel code for SELinux to add an IP address to a port label so we assign port labels using the addr/proto/port triple.  However, it still needs the associated userspace work and testing before we can do anything with it.

Who is working on the SELinux userspace these days?  I ask because I doubt I'll have time to work on it anytime soon.
Comment 8 Miroslav Grepl 2014-12-04 13:28:15 UTC 
I can start to work on it the next year together with plautrba.
Comment 9 Paul Moore 2014-12-04 14:29:34 UTC 
Okay, great.  I'll try to dig up the kernel code and clean it up.
Comment 16 Petr Lautrbach 2017-10-23 11:36:02 UTC 
This problem is being discussed on https://github.com/SELinuxProject/selinux-kernel/issues/21 We would need to have a working solution in upstream kernel, userspace and policy before we can use it Red Hat Enterprise Linux.  Therefore I'm closing this as WONTFIX.

Note that in Fedora 27+ apache server has been updated and there is no need to have httpd_graceful_shutdown enabled anymore.