I need some clarification on the httpd_graceful_shutdown SELinux boolean

A bit of context first. I’m working on a Symfony (PHP framework) application, using httpd + php-fpm as the web server on Fedora 32. To allow it to work, I had to make some changes.

  • Cache and log directories were given the httpd_sys_rw_content_t label.
  • Since I’m using MariaDB, the httpd_can_network_connect_db boolean had to be enabled.

This is an e-commerce application. At some point I began to integrate the payments API (MercadoPago). The PHP SDK provided by them makes a connection to the API server. That’s when it happened. SELinux blocked this connection.

type=AVC msg=audit(1591281265.228:417): avc: denied { name_connect } for pid=12114 comm="php-fpm" dest=443 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0

So I started looking for similar issues on Red Hat Bugzilla. This is nearly identical:
https://bugzilla.redhat.com/show_bug.cgi?id=1528722. The suggested solution is to turn on the httpd_graceful_shutdown boolean, which is off by default. It works, which is great, but its name is not intuitive to me.

I started searching for “graceful shutdown httpd apache” and all I learned is that httpd can perform a graceful stop, which makes the parent httpd process wait for child processes to stop before it does, or something like that. It’s still not clear how this relates to PHP being unable to make a TCP connection.

The manpage describes it like this:

If you want to allow HTTPD to connect to port 80 for graceful shutdown, you must turn on the httpd_graceful_shutdown boolean.

This conversation from 2017 [HEADS UP] Default value of SELinux boolean httpd_graceful_shutdown will changed. - devel - Fedora Mailing-Lists at least explains the difference between httpd_can_network_connect and httpd_graceful_shutdown.

Turning on httpd_graceful_shutdown you allow httpd_t domain connecting
just to ports labeled as httpd_port_t.

Turning on httpd_can_network_connect you allow httpd_t domain connecting
to all ports from SELinux POV.

Another conversation (can’t add any more links) from an SELinux/NSA mailing list in 2017 says this boolean is no longer needed and suggests removing it from Fedora…

So, in short, I’m trying to figure out what the hell is a graceful shutdown in this context?

1 Like

I think that this is just a case of bad naming.

It probably went like this: SELinux policy broke Apache graceful shutdown, it turned out that Apache needs to be able to connect to port 80 (localhost) for graceful shutdown, since not everybody needs graceful shutdown another boolean was introduced - and - since that boolean fixes graceful shutdown it was named httpd_graceful_shutdown.

Basically, httpd_graceful_shutdown is now the most precise toggle to allow your web-server to connect to port 80 (localhost or not) for whatever reason. For example, you also need to allow such connections for OCSP stapling - also if you’re using another web-server such as nginx.

Other better named httpd booleans such as httpd_can_network_connect or httpd_can_network_relay also allow connecting to port 80 - but also to some other ports. Thus, if you just need port 80 then httpd_graceful_shutdown really is the minimal setting.

See also:

4 Likes

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.