Bug 249670 - Missing output from `service httpd ...'
Missing output from `service httpd ...'
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
7
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
: 249671 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-07-26 07:08 EDT by Eli Barzilay
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-09-04 16:17:02 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Eli Barzilay 2007-07-26 07:08:13 EDT
Description of problem:

  Using `service httpd start', or `... restart' etc, does not show any output
  when selinux is set to `enforcing'.

Version-Release number of selected component (if applicable):


How reproducible:

  Always.

Steps to Reproduce:
1. Make sure that you have an httpd.conf file with something that will show a
   warning
2. Set selinux to enforcing mode
3. service httpd restart
4. Now set selinux to permissive mode
5. service httpd restart

Actual results:
  First restart shows nothing, second one shows a warning.

Expected results:
  Always show a warning.

Additional info:
  I haven't tried other service, so this might be a problem with `service', or
  with the selinux setup.  Feel free to change the component if it's not an
  apache problem.
Comment 1 Joe Orton 2007-07-26 07:53:31 EDT
*** Bug 249671 has been marked as a duplicate of this bug. ***
Comment 2 Daniel Walsh 2007-07-26 09:12:07 EDT
It is considered a potential security problem if a daemon is able to communicate
with the terminal.  Think of a compromised daemon putting up the 
Login:
Passwd:

prompt.  So by default SELinux does not allow confined daemons to communicate
with the terminal.  You can allow the http to communicate with ther terminal by
setting the httpd_tty_comm boolean.

setsebool -P httpd_tty_comm=1

If you want all of your confined daemons to talk to ther terminal you can set
the boolean allow_daemons_use_tty.

setsebool -P allow_daemons_use_tty=1
Comment 3 Eli Barzilay 2007-07-26 15:14:12 EDT
I understand the reason, but the result is, IMO, terrible.  Well, personally it
is terrible since I just spent a good number of hours chasing problems that I did
not see -- and didn't even have an indication that there is a problem.

A better solution would be to forbid using stdin, but still show stdout and
stderr.  Without this, I don't see myself ever using selinux, and I don't see it
becoming more popular.  If that will take time, then at least show some message
saying that there was some output that got blocked.
Comment 4 Daniel Walsh 2007-09-04 16:17:02 EDT
Changed the defaults in rawhide to allow output of terminals.

Note You need to log in before you can comment on or make changes to this bug.