Bug 249670 - Missing output from `service httpd ...'
Summary: Missing output from `service httpd ...'
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy   
(Show other bugs)
Version: 7
Hardware: x86_64 Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
: 249671 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2007-07-26 11:08 UTC by Eli Barzilay
Modified: 2007-11-30 22:12 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-09-04 20:17:02 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Eli Barzilay 2007-07-26 11:08:13 UTC
Description of problem:

  Using `service httpd start', or `... restart' etc, does not show any output
  when selinux is set to `enforcing'.

Version-Release number of selected component (if applicable):

How reproducible:


Steps to Reproduce:
1. Make sure that you have an httpd.conf file with something that will show a
2. Set selinux to enforcing mode
3. service httpd restart
4. Now set selinux to permissive mode
5. service httpd restart

Actual results:
  First restart shows nothing, second one shows a warning.

Expected results:
  Always show a warning.

Additional info:
  I haven't tried other service, so this might be a problem with `service', or
  with the selinux setup.  Feel free to change the component if it's not an
  apache problem.

Comment 1 Joe Orton 2007-07-26 11:53:31 UTC
*** Bug 249671 has been marked as a duplicate of this bug. ***

Comment 2 Daniel Walsh 2007-07-26 13:12:07 UTC
It is considered a potential security problem if a daemon is able to communicate
with the terminal.  Think of a compromised daemon putting up the 

prompt.  So by default SELinux does not allow confined daemons to communicate
with the terminal.  You can allow the http to communicate with ther terminal by
setting the httpd_tty_comm boolean.

setsebool -P httpd_tty_comm=1

If you want all of your confined daemons to talk to ther terminal you can set
the boolean allow_daemons_use_tty.

setsebool -P allow_daemons_use_tty=1

Comment 3 Eli Barzilay 2007-07-26 19:14:12 UTC
I understand the reason, but the result is, IMO, terrible.  Well, personally it
is terrible since I just spent a good number of hours chasing problems that I did
not see -- and didn't even have an indication that there is a problem.

A better solution would be to forbid using stdin, but still show stdout and
stderr.  Without this, I don't see myself ever using selinux, and I don't see it
becoming more popular.  If that will take time, then at least show some message
saying that there was some output that got blocked.

Comment 4 Daniel Walsh 2007-09-04 20:17:02 UTC
Changed the defaults in rawhide to allow output of terminals.

Note You need to log in before you can comment on or make changes to this bug.