httpd fails to start with latest policy

Stephen Smalley sds at
Fri Jun 17 17:26:08 UTC 2005

On Fri, 2005-06-17 at 10:14 -0700, Bob Kashani wrote:
> httpd fails to start with the latest FC3 policy.
> selinux-policy-targeted-1.17.30-3.9
> Here is the AVC message:
> Jun 17 10:04:48 sorcerer kernel: audit(1119027888.944:0): avc:  denied
> { name_bind } for  pid=3265 exe=/usr/sbin/httpd src=2121
> scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:port_t
> tclass=tcp_socket
> Jun 17 10:04:48 sorcerer httpd: (13)Permission denied: make_sock: could
> not bind to address [::]:2121
> Jun 17 10:04:48 sorcerer httpd: no listening sockets available, shutting
> down
> Jun 17 10:04:48 sorcerer httpd: Unable to open logs
> Jun 17 10:04:48 sorcerer httpd: httpd startup failed
> I normally use port 80 and 2121. How do I fix this?

As a workaround, you can add a definition for 2121
to /etc/selinux/targeted/src/policy/net_contexts, likewise mapping it to
http_port_t, e.g.
	portcon tcp 2121 system_u:object_r:http_port_t

Naturally, that won't survive updates.  There isn't presently a clean
way to do local customization of network-related contexts, but that is
planned (but isn't likely to be included until FC5).  

Alternative is to let httpd bind to any non-reserved port at all, i.e.
	allow httpd_t port_t:tcp_socket name_bind;
in /etc/selinux/targeted/src/policy/domains/misc/local.te (or any name
not used by the policy package), which would survive updates.

Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list