SELinux blocks my library catalog
Stuart Sears
stuart at sjsears.com
Sat Apr 15 17:38:18 UTC 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Joel Gomberg wrote:
> Stuart Sears wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Joel Gomberg wrote:
>>> Joel Gomberg wrote:
>>>> My library uses port 8080 for accessing its catalog:
>>>>
>>>> http://oaklandlibrary.org:8080/ipac20/ipac.jsp?profile=#focus
>>>>
>>>> SELinux denies access. With setenforce=0, access is permitted, so I'm
>>>> sure it's a SELinux issue. After perusing the SELinux FAQ, I issued
>>>> this command:
>>>>
>>>> semanage port -a -p tcp -t http_port_t 8080.
>>>>
>>>> The response was that port 8080 was already defined.
>>>>
>>>> Suggestions are welcome.
>>> I forgot to include the relevant audit log entry:
>>>
>>> type=AVC msg=audit(1145058006.474:1026): avc: denied { name_connect }
>>> for pid=13185 comm="privoxy" dest=8080
>>> scontext=system_u:system_r:privoxy_t:s0
>>>
>>> --
>>> Joel
>>>
>> try:
>> semanage port -l | grep 8080
>>
>> you should see something like:
>> http_cache_port_t tcp 3128, 8080, 8118
>>
>> if you want to allow privoxy_t access to this port as well, you could
>> attempt this:
>> semanage port -m -p tcp -t privoxy_t 8080
>>
>> notice the -m instead of the -a (you're modifying an already defined
>> port, rather than adding a new one)
>>
>> see if that helps
>
> No go. The denial message has changed slightly, though:
>
> type=AVC msg=audit(1145112509.543:104): avc: denied { name_connect }
> for pid=4137 comm="privoxy" dest=8080
> scontext=system_u:system_r:privoxy_t:s0
> tcontext=system_u:object_r:privoxy_t:s0 tclass=tcp_socket
okay, it looks like we're in need of a number of policy changes to
permit privoxy_t to do its job.
first set permissive mode
setenforce 0
then...
are you running auditd?
audit2allow -i /var/log/audit/audit.log (if you are)
audit2allow -i /var/log/messages (if you aren't)
it will tell you what you have to permit privoxy_t to do before it can
bind to port 8080. I have a feeling it is going to need a few changes to
the reference policy
much of this may be best posted to fedora-selinux-list where the SELinux
bigwigs hang out. They are far more expert on this than I
Stuart
- --
Stuart Sears RHCA RHCX
To err is human, to forgive is Not Company Policy.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFEQS+KamPtx1brPQ4RAhBhAJ9kbQIg+7nWamXuoiPdUaGZje/uDQCfYT4O
4CHuqF8yq7l4BJhQCn8qMjE=
=+7RG
-----END PGP SIGNATURE-----
More information about the fedora-list
mailing list