SELinux blocks my library catalog

Joel Gomberg obligor11-fedora at yahoo.com
Sat Apr 15 17:58:48 UTC 2006 

Stuart Sears wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Joel Gomberg wrote:
>> Stuart Sears wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Joel Gomberg wrote:
>>>> Joel Gomberg wrote:
>>>>> My library uses port 8080 for accessing its catalog:
>>>>>
>>>>> http://oaklandlibrary.org:8080/ipac20/ipac.jsp?profile=#focus
>>>>>
>>>>> SELinux denies access.  With setenforce=0, access is permitted, so I'm
>>>>> sure it's a SELinux issue.  After perusing the SELinux FAQ, I issued
>>>>> this command:
>>>>>
>>>>> semanage port -a -p tcp -t http_port_t 8080.
>>>>>
>>>>> The response was that port 8080 was already defined.
>>>>>
>>>>> Suggestions are welcome.
>>>> I forgot to include the relevant audit log entry:
>>>>
>>>> type=AVC msg=audit(1145058006.474:1026): avc:  denied  { name_connect }
>>>> for  pid=13185 comm="privoxy" dest=8080
>>>> scontext=system_u:system_r:privoxy_t:s0
>>>>
>>>> -- 
>>>> Joel
>>>>
>>> try:
>>> semanage port -l | grep 8080
>>>
>>> you should see something like:
>>> http_cache_port_t              tcp      3128, 8080, 8118
>>>
>>> if you want to allow privoxy_t access to this port as well, you could
>>> attempt this:
>>> semanage port -m -p tcp -t privoxy_t 8080
>>>
>>> notice the -m instead of the -a (you're modifying an already defined
>>> port, rather than adding a new one)
>>>
>>> see if that helps
>> No go.  The denial message has changed slightly, though:
>>
>> type=AVC msg=audit(1145112509.543:104): avc:  denied  { name_connect }
>> for  pid=4137 comm="privoxy" dest=8080
>> scontext=system_u:system_r:privoxy_t:s0
>> tcontext=system_u:object_r:privoxy_t:s0 tclass=tcp_socket
> 
> okay, it looks like we're in need of a number of policy changes to
> permit privoxy_t to do its job.
> 
> first set permissive mode
> 
> setenforce 0
> 
> then...
> are you running auditd?
> audit2allow -i /var/log/audit/audit.log (if you are)
> audit2allow -i /var/log/messages (if you aren't)
> 
> it will tell you what you have to permit privoxy_t to do before it can
> bind to port 8080. I have a feeling it is going to need a few changes to
> the reference policy
> 
> much of this may be best posted to fedora-selinux-list where the SELinux
> bigwigs hang out. They are far more expert on this than I

Thanks for your help.  I've posted this question to the selinux list 
along with the output from the audit2allow command.

--
Joel

More information about the fedora-list mailing list