Updated httpd.service man page text.

httpd.service.xml

@@ -59,6 +59,17 @@
     socket-based activation. Most systems will use
     <command>httpd.service</command>.</para>
 
+    <para>The <command>apachectl</command> command has been modified
+    to invoke <command>systemctl</command> for most uses, so for
+    example, running <command>apachectl start</command> is equivalent
+    to running <command>systemctl start httpd.service</command>.  This
+    ensures that the running httpd daemon is tracked and managed by
+    <command>systemd</command>.  In contrast, running
+    <command>httpd</command> directly from a root shell will start the
+    service outside of <command>systemd</command>; in this case,
+    default security restrictions described below (including, but not
+    limited to, SELinux) will not be enforced.</para>
+
     <refsect2>
       <title>Changing default behaviour</title>
 
@@ -73,13 +84,12 @@
       <filename>/etc/systemd/system/httpd.service.d</filename> which
       over-rides the system defaults.</para>
 
-      <para>For example, to set the <literal>LD_LIBRARY_PATH</literal>
+      <para>For example, to set the <option>LD_LIBRARY_PATH</option>
       environment variable for the daemon, run <command>systemctl edit
       httpd.service</command> and enter:
 
       <programlisting>[Service]
 Environment=LD_LIBRARY_PATH=/opt/vendor/lib</programlisting></para>
-
     </refsect2>
     
     <refsect2>
@@ -94,7 +104,7 @@ Environment=LD_LIBRARY_PATH=/opt/vendor/lib</programlisting></para>
       IPv4 or IPv6 address.</para>
 
       <para>If httpd is configured to depend on any specific IP
-      address (for example, with a "Listen" directive), which may only
+      address (for example, with a "Listen" directive) which may only
       become available during startup, or if httpd depends on other
       services (such as a database daemon), the service
       <emphasis>must</emphasis> be configured to ensure correct
@@ -102,7 +112,7 @@ Environment=LD_LIBRARY_PATH=/opt/vendor/lib</programlisting></para>
 
       <para>For example, to ensure httpd is only running after all
       configured network interfaces are configured, create a drop-in
-      file (as described above) with the following:
+      file (as described above) with the following section:
 
       <programlisting>[Unit]
 After=network-online.target
@@ -118,7 +128,7 @@ Wants=network-online.target</programlisting>
       <title>Reloading and stopping the service</title>
 
       <para>When running <command>systemctl reload
-      httpd.service</command>, a "<emphasis>graceful</emphasis>"
+      httpd.service</command>, a <emphasis>graceful</emphasis>
       restart is used, which sends a signal to the httpd parent
       process to reload the configuration and re-open log files. Any
       children with open connections at the time of reload will
@@ -128,7 +138,7 @@ Wants=network-online.target</programlisting>
       delay before any configuration changes take effect for all
       users.</para>
 
-      <para>Similarly, a "<emphasis>graceful stop</emphasis>" is used
+      <para>Similarly, a <emphasis>graceful stop</emphasis> is used
       when <command>systemctl stop httpd.service</command> is run,
       which terminates the server only once active connections have
       been processed.</para>
@@ -138,7 +148,7 @@ Wants=network-online.target</programlisting>
     <refsect2>
       <title>systemd integration and mod_systemd</title>
 
-      <para>httpd.service uses the "<option>notify</option>" systemd
+      <para>The httpd service uses the <option>notify</option> systemd
       service type. The <literal>mod_systemd</literal> module must be
       loaded (as in the default configuration) for this to work
       correctly - the service will fail if this module is not
@@ -153,12 +163,12 @@ Wants=network-online.target</programlisting>
       <title>Security and SELinux</title>
 
       <para>The default SELinux policy restricts the httpd service in
-      various ways. The ports to which httpd can bind (using the
+      various ways. For example, the default policy limits the ports
-      <literal>Listen</literal> directive), which parts of the
+      to which httpd can bind (using the <literal>Listen</literal>
-      filesystem can be accessed, whether outgoing TCP connections are
+      directive), which parts of the filesystem can be accessed, and
-      possible, are limited by default, for example. Many of these
+      whether outgoing TCP connections are possible. Many of these
-      restrictions can be lifted using SELinux booleans and port
+      restrictions can be adjusted using <command>semanage</command>
-      types. See
+      to change booleans or other types. See
       <citerefentry><refentrytitle>httpd_selinux</refentrytitle><manvolnum>8</manvolnum></citerefentry>
       for more information.</para>
 
@@ -191,7 +201,8 @@ Wants=network-online.target</programlisting>
     <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, 
     <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
     <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
-      <citerefentry><refentrytitle>httpd_selinux</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+    <citerefentry><refentrytitle>httpd_selinux</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+    <citerefentry><refentrytitle>semanage</refentrytitle><manvolnum>8</manvolnum></citerefentry>
     </para>
   </refsect1>