Nother selinux denial to be dealt with.
Gene Heskett
gene.heskett at verizon.net
Tue Jan 22 15:37:23 UTC 2008
Greetings;
Verizon makes life a bitch by violating common carrier rules when the block
port 80 to keep their customers from running a web server. But port 85
appears to be an unassigned port, and I have successfully used it to test when
selinux, privoxy and squid were not running. Now they are, and an attempted
connect to http://gene.homelinux.net:85 now gets a 503 cuz selinux denies it.
As saved from setroubleshooter:
=================
Summary:
SELinux is preventing the privoxy(/usr/sbin/privoxy) (privoxy_t) from connecting
to port 85.
Detailed Description:
SELinux has denied the privoxy(/usr/sbin/privoxy) from connecting to a network
port 85 which does not have an SELinux type associated with it. If
privoxy(/usr/sbin/privoxy) is supposed to be allowed to connect on this port,
you can use the semanage command to add this port to a port type that privoxy_t
can connect to. semanage port -L will list all port types. Please file a bug
report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the
selinux-policy package. If privoxy(/usr/sbin/privoxy) is not supposed to bind to
this port, this could signal a intrusion attempt.
Allowing Access:
If you want to allow privoxy(/usr/sbin/privoxy) to connect to this port semanage
port -a -t PORT_TYPE -p PROTOCOL 85 Where PORT_TYPE is a type that privoxy_t can
connect.
Additional Information:
Source Context system_u:system_r:privoxy_t:s0
Target Context system_u:object_r:reserved_port_t:s0
Target Objects None [ tcp_socket ]
Source privoxy(/usr/sbin/privoxy)
Port 85
Host coyote.coyote.den
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.0.8-76.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name connect_ports
Host Name coyote.coyote.den
Platform Linux coyote.coyote.den 2.6.24-rc8 #2 SMP Wed Jan
16 22:47:57 EST 2008 i686 athlon
Alert Count 4
First Seen Tue 22 Jan 2008 10:10:07 AM EST
Last Seen Tue 22 Jan 2008 10:11:16 AM EST
Local ID 748d1fcf-28fe-4b1b-87c3-40a0b272393d
Line Numbers
Raw Audit Messages
host=coyote.coyote.den type=AVC msg=audit(1201014676.609:434): avc: denied { name_connect } for pid=14357
comm="privoxy" dest=85 scontext=system_u:system_r:privoxy_t:s0 tcontext=system_u:object_r:reserved_port_t:s0
tclass=tcp_socket
host=coyote.coyote.den type=SYSCALL msg=audit(1201014676.609:434): arch=40000003 syscall=102 success=no exit=-13 a0=3
a1=b67366e0 a2=b6736798 a3=0 items=0 ppid=1 pid=14357 auid=4294967295 uid=73 gid=73 euid=73 suid=73 fsuid=73 egid=73
sgid=73 fsgid=73 tty=(none) comm="privoxy" exe="/usr/sbin/privoxy" subj=system_u:system_r:privoxy_t:s0 key=(null)
==================
What can I do to allow this? The above isn't precise enough for me to go stumbling around.
2nd, do these mailing lists echo each other? If so, sorry about hitting both.
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Real Users hate Real Programmers.
More information about the fedora-selinux-list
mailing list