search for: httpd_can_network_connect

On 04/12/2016 02:31 PM, James Hogarth wrote: > For example: > > unless => "/usr/sbin/getsebool httpd_can_network_connect | /usr/bin/grep on > &> /dev/null" D'oh! That's what I get for overcomplicating the whole darn thing. :) > > Incidentally one nice trick if you're dealing with potentially changing > multiple booleans and the policy compile time is to either skip -P and > und...

On Tue, 12 Apr 2016, John Jasen wrote: > On 04/12/2016 02:31 PM, James Hogarth wrote: >> For example: >> >> unless => "/usr/sbin/getsebool httpd_can_network_connect | /usr/bin/grep on >> &> /dev/null" > > D'oh! That's what I get for overcomplicating the whole darn thing. :) >> >> Incidentally one nice trick if you're dealing with potentially changing >> multiple booleans and the policy compile time is to ei...

...~5 days. >> >> Together with Dan Walsh, we agreed on that httpd_graceful_shutdown >> boolean should be by default turned off. This boolean allows HTTPD to >> connect to port 80 for graceful shutdown, but it's breaking the >> functionality of another boolean called: httpd_can_network_connect. >> This boolean allows HTTPD scripts and modules to connect to the >> network using TCP and it's turned off by default. >> >> Turning this boolean off can cause some troubles, on web-servers where >> processes with httpd_t SELinux domain connecting to tcp ports: 8...

Out of faint curiosity, how do we push change requests upstream to RHEL? I'm using puppet to automate systems, including the application of SELinux policy. While setsebool -P is non-damaging to repeat, it is time consuming -- taking about 45 seconds per execution to process the existing policy and re-commit to disk. I'd like a simple ability to put an unless in the execution of

On Fri, Jan 29, 2016 at 11:41 AM, Michael H <michael at wemoto.com> wrote: > setsebool -P httpd_can_network_connect on > firewall-cmd --add-service=http --permanent > I have ran those two and still can't access. I have restarted httpd and iptables services after ran those lines. BTW, what those means? setsebool is part of SELinux? Or this is new kind of extra security layer on CentOS7? I am moving fro...

...'s logfile. Always the logs! They have >>> the neccessary information your need to debug your situation. >>> >>> Alexander >> >> I enabled both those options. tried to access again, same issue. > > Sorry, which 2 options did you enable? I turned on httpd_can_network_connect --> on httpd_can_sendmail --> on I restarted httpd. > >> Log file: >> [Thu Jun 18 17:08:31.160897 2020] [authz_core:error] [pid 10427:tid 140567258310400] [client 10.20.30.61:34096] AH01630: client denied >> by >> server configuration: /usr/share/squirrelmail/src/...

I have Apache/2.4.6 installed in a minimal CentOS 7 VM. I am trying to access the default page when Apache is installed by accessing the CentOS IP as http://192.168.3.130 (is a host only interface) but I got "This webpage is not available: ERR_CONNECTION_TIMED_OUT" and I can't find why. I have stopped iptables and then checked: # service iptables status Redirecting to /bin/systemctl

...onfigtest file, Turning off the firewall resulted in same issue. > > I have this in my squirrelmail notes for Centos 6, maybe this is a similar issue for you on Centos 8: > > After configuring squirrelmail, do this to make selinux accept squirrelmail connections: > > setsebool -P httpd_can_network_connect 1 > > (The -P makes it permanent across reboots. This command takes quite a while to run, so don't worry about the waiting) > > Then this to allow apache to connect to sendmail: > > setsebool -P httpd_can_sendmail 1 > > Also takes a long time to run. I am not using sel...

Good evening, I have not able able to run the http://ip-addr/src/configtest.php script, nor access Squirrelmail. Looking for suggestions on what I might have missed. When I try either http://ip-... or https://ip-..., I get the following reply Forbidden You don't have permission to access /webmail/src/configtest.php on this server. I got squirrelmail installed in /usr/share/squirrelmail and

...Apache is installed by accessing the CentOS IP > as http://192.168.3.130 (is a host only interface) but I got "This webpage > is not available: ERR_CONNECTION_TIMED_OUT" and I can't find why. I have > stopped iptables and then checked: my first guess would be; setsebool -P httpd_can_network_connect on firewall-cmd --add-service=http --permanent if you're serving over https you'll also want; firewall-cmd --add-service=https --permanent if you intend on sending email; setsebool -P httpd_can_sendmail on

On 29/01/16 16:45, reynierpm at gmail.com wrote: > On Fri, Jan 29, 2016 at 11:41 AM, Michael H <michael at wemoto.com> wrote: > >> setsebool -P httpd_can_network_connect on >> firewall-cmd --add-service=http --permanent >> > > I have ran those two and still can't access. I have restarted httpd and > iptables services after ran those lines. BTW, what those means? setsebool > is part of SELinux? Or this is new kind of extra security layer...

...I'd start with a feature request upstream, or in Fedora, and then request a backport of that into RHEL after it is added. For the purposes of your specific need can't you pipe getsebool to grep for your unless to check if it's set? For example: unless => "/usr/sbin/getsebool httpd_can_network_connect | /usr/bin/grep on &> /dev/null" Incidentally one nice trick if you're dealing with potentially changing multiple booleans and the policy compile time is to either skip -P and understand it's not persistent so puppet needs to fix at boot, or passing multiple booleans to setsebo...

On Thu, 18 Jun 2020 16:11:01 -0400 Jay Hart wrote: > Any suggestions???? selinux issue? I have this in my squirrelmail notes for Centos 6, maybe this is a similar issue for you on Centos 8: After configuring squirrelmail, do this to make selinux accept squirrelmail connections: setsebool -P httpd_can_network_connect 1 (The -P makes it permanent across reboots. This command takes quite a while to run, so don't worry about the waiting) Then this to allow apache to connect to sendmail: setsebool -P httpd_can_sendmail 1 Also takes a long time to run. Note that in SquirrelMail versions 1.5.0 and up, if yo...

Hi, Here's a list of all the booleans I tweaked on my server running CentOS 7: $ sudo cat /etc/selinux/targeted/active/booleans.local # This file is auto-generated by libsemanage # Do not edit directly. named_write_master_zones=0 httpd_can_sendmail=1 httpd_unified=1 ftpd_full_access=1 httpd_can_network_connect=1 spamd_enable_home_dirs=1 How can I "reset" (in a manner of speaking) these booleans to their default value post-install? Ideally, the booleans.local file should be empty, but since it's auto-generated, there's not much sense in simply erasing it. Curiously enough, I didn'...

Hi. Has anyone figured out how to get Bugzilla working on CentOS 5.2 WITHOUT TURNING OFF SELINUX? I've run chcon -R --reference=/var/www/html /path/to/bugzilla and added the following module (generated by audit2allow), but am still getting errors in my Web browser tryinig to use Bugzilla: Software error: Can't connect to the database. Error: could not connect to server:

Hey all, I'm having some trouble getting PHP5 w/ CentOS 5 to connect to a remote MySQL server using the standard mysql_connect() call. Yes, MySQL libraries are installed along with php-mysql... The only way I can get it to work is to run setenforce Permissive, otherwise the connection fails. The annoying thing is that nothing at all shows up in my /var/log/messages file describing why

> Am 18.06.2020 um 22:37 schrieb Jay Hart: >>> On Thu, 18 Jun 2020 16:11:01 -0400 >>> Jay Hart wrote: >>> >>>> Any suggestions???? >>> selinux issue? >> I turned the firewall off and tried to access /webmail and the configtest file, Turning off the firewall resulted in same issue. > > Frank was hinting to SELinux preventing access. A

..._httpd_cvs_script_anon_write --> off allow_httpd_mod_auth_pam --> off allow_httpd_nagios_script_anon_write --> off allow_httpd_prewikka_script_anon_write --> off allow_httpd_squid_script_anon_write --> off allow_httpd_sys_script_anon_write --> off httpd_builtin_scripting --> on httpd_can_network_connect --> off httpd_can_network_connect_db --> off httpd_can_network_relay --> off httpd_can_sendmail --> on httpd_disable_trans --> off httpd_enable_cgi --> on httpd_enable_ftp_server --> off httpd_enable_homedirs --> on httpd_read_user_content --> off httpd_rotatelogs_disable...

...quot;right"..... Thanks! # cat manifests/master-config.pp include epel class { ''puppetdb'': listen_address => ''puppet.example.com'', open_listen_port => true, } class { ''puppetdb::master::config'': } selboolean { "httpd_can_network_connect": persistent => true, value => on, } # puppet apply master-config.pp Warning: Config file /etc/puppet/hiera.yaml not found, using Hiera defaults Error: Could not start Service[puppetmaster]: Execution of ''/sbin/service puppet master start'' returned 1:...