Privoxy and Port 8080
Daniel J Walsh
dwalsh at redhat.com
Mon Apr 17 10:43:23 UTC 2006
Joel Gomberg wrote:
> I originally posted this message to the fedora users list. It was
> suggested that I might have better luck here.
>
> SELinux is blocking privoxy's access to my public library's online
> catalog:
>
> http://oaklandlibrary.org:8080/ipac20/ipac.jsp?profile=#focus
>
> SELinux denies access. With setenforce=0, access is permitted, so I'm
> sure it's a SELinux issue. After perusing the SELinux FAQ, I issued
> this command:
>
> semanage port -a -p tcp -t http_port_t 8080.
>
> The response was that port 8080 was already defined.
>
> The denial message is:
>
> type=AVC msg=audit(1145058006.474:1026): avc: denied { name_connect }
> for pid=13185 comm="privoxy" dest=8080
> scontext=system_u:system_r:privoxy_t:s0
>
> I received a suggestion to issue this command:
>
> semanage port -m -p tcp -t privoxy_t 8080
>
> This changed the denial message slightly:
>
> type=AVC msg=audit(1145112509.543:104): avc: denied { name_connect }
> for pid=4137 comm="privoxy" dest=8080
> scontext=system_u:system_r:privoxy_t:s0
> tcontext=system_u:object_r:privoxy_t:s0 tclass=tcp_socket
>
> I then issued these commands:
>
> [root at alcibiades ~]# setenforce 0
> [root at alcibiades ~]# audit2allow -i /var/log/audit/audit.log
>
> and received this output [relevant to Privoxy]:
>
> allow privoxy_t http_cache_port_t:tcp_socket name_connect;
> allow privoxy_t self:tcp_socket name_connect;
>
> I don't know how to proceed from here.
Try
audit2allow -M privoxy -i /var/log/audit/audit.log
semodule -i privoxy.pp
This will greate a modular policy that will add these rules to your machine.
I will change policy to allow privoxy to connect to port 8080
>
> --
> Joel
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list