Bug 249670 - Missing output from `service httpd ...'
Summary: Missing output from `service httpd ...'
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy   
(Show other bugs)
Version: 7
Hardware: x86_64 Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
: 249671 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-07-26 11:08 UTC by Eli Barzilay
Modified: 2007-11-30 22:12 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-09-04 20:17:02 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Eli Barzilay 2007-07-26 11:08:13 UTC
Description of problem:

  Using `service httpd start', or `... restart' etc, does not show any output
  when selinux is set to `enforcing'.

Version-Release number of selected component (if applicable):


How reproducible:

  Always.

Steps to Reproduce:
1. Make sure that you have an httpd.conf file with something that will show a
   warning
2. Set selinux to enforcing mode
3. service httpd restart
4. Now set selinux to permissive mode
5. service httpd restart

Actual results:
  First restart shows nothing, second one shows a warning.

Expected results:
  Always show a warning.

Additional info:
  I haven't tried other service, so this might be a problem with `service', or
  with the selinux setup.  Feel free to change the component if it's not an
  apache problem.

Comment 1 Joe Orton 2007-07-26 11:53:31 UTC
*** Bug 249671 has been marked as a duplicate of this bug. ***

Comment 2 Daniel Walsh 2007-07-26 13:12:07 UTC
It is considered a potential security problem if a daemon is able to communicate
with the terminal.  Think of a compromised daemon putting up the 
Login:
Passwd:

prompt.  So by default SELinux does not allow confined daemons to communicate
with the terminal.  You can allow the http to communicate with ther terminal by
setting the httpd_tty_comm boolean.

setsebool -P httpd_tty_comm=1

If you want all of your confined daemons to talk to ther terminal you can set
the boolean allow_daemons_use_tty.

setsebool -P allow_daemons_use_tty=1


Comment 3 Eli Barzilay 2007-07-26 19:14:12 UTC
I understand the reason, but the result is, IMO, terrible.  Well, personally it
is terrible since I just spent a good number of hours chasing problems that I did
not see -- and didn't even have an indication that there is a problem.

A better solution would be to forbid using stdin, but still show stdout and
stderr.  Without this, I don't see myself ever using selinux, and I don't see it
becoming more popular.  If that will take time, then at least show some message
saying that there was some output that got blocked.

Comment 4 Daniel Walsh 2007-09-04 20:17:02 UTC
Changed the defaults in rawhide to allow output of terminals.


Note You need to log in before you can comment on or make changes to this bug.