Description of problem:
Using `service httpd start', or `... restart' etc, does not show any output
when selinux is set to `enforcing'.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Make sure that you have an httpd.conf file with something that will show a
2. Set selinux to enforcing mode
3. service httpd restart
4. Now set selinux to permissive mode
5. service httpd restart
First restart shows nothing, second one shows a warning.
Always show a warning.
I haven't tried other service, so this might be a problem with `service', or
with the selinux setup. Feel free to change the component if it's not an
*** Bug 249671 has been marked as a duplicate of this bug. ***
It is considered a potential security problem if a daemon is able to communicate
with the terminal. Think of a compromised daemon putting up the
prompt. So by default SELinux does not allow confined daemons to communicate
with the terminal. You can allow the http to communicate with ther terminal by
setting the httpd_tty_comm boolean.
setsebool -P httpd_tty_comm=1
If you want all of your confined daemons to talk to ther terminal you can set
the boolean allow_daemons_use_tty.
setsebool -P allow_daemons_use_tty=1
I understand the reason, but the result is, IMO, terrible. Well, personally it
is terrible since I just spent a good number of hours chasing problems that I did
not see -- and didn't even have an indication that there is a problem.
A better solution would be to forbid using stdin, but still show stdout and
stderr. Without this, I don't see myself ever using selinux, and I don't see it
becoming more popular. If that will take time, then at least show some message
saying that there was some output that got blocked.
Changed the defaults in rawhide to allow output of terminals.