Privoxy and Port 8080

Joel Gomberg obligor11-fedora at yahoo.com
Mon Apr 17 17:13:44 UTC 2006 

Daniel J Walsh wrote:
> Joel Gomberg wrote:
>> I originally posted this message to the fedora users list. It was 
>> suggested that I might have better luck here.
>>
>> SELinux is blocking privoxy's access to my public library's online 
>> catalog:
>>
>> http://oaklandlibrary.org:8080/ipac20/ipac.jsp?profile=#focus
>>
>> SELinux denies access.  With setenforce=0, access is permitted, so I'm
>> sure it's a SELinux issue.  After perusing the SELinux FAQ, I issued
>> this command:
>>
>> semanage port -a -p tcp -t http_port_t 8080.
>>
>> The response was that port 8080 was already defined.
>>
>> The denial message is:
>>
>> type=AVC msg=audit(1145058006.474:1026): avc:  denied  { name_connect }
>> for  pid=13185 comm="privoxy" dest=8080
>> scontext=system_u:system_r:privoxy_t:s0
>>
>> I received a suggestion to issue this command:
>>
>> semanage port -m -p tcp -t privoxy_t 8080
>>
>> This changed the denial message slightly:
>>
>> type=AVC msg=audit(1145112509.543:104): avc:  denied  { name_connect } 
>> for  pid=4137 comm="privoxy" dest=8080 
>> scontext=system_u:system_r:privoxy_t:s0 
>> tcontext=system_u:object_r:privoxy_t:s0 tclass=tcp_socket
>>
>> I then issued these commands:
>>
>> [root at alcibiades ~]# setenforce 0
>> [root at alcibiades ~]# audit2allow -i /var/log/audit/audit.log
>>
>> and received this output [relevant to Privoxy]:
>>
>> allow privoxy_t http_cache_port_t:tcp_socket name_connect;
>> allow privoxy_t self:tcp_socket name_connect;
>>
>> I don't know how to proceed from here.
> Try
> 
> audit2allow -M privoxy -i /var/log/audit/audit.log
> semodule -i privoxy.pp
> 
> This will greate a modular policy that will add these rules to your 
> machine.
> 
> I will change policy to allow privoxy to connect to port 8080

Apparently, it was a bit more complex than that:

audit2allow -M privoxy -i /var/log/audit/audit.log
Generating type enforcment file: privoxy.te
Compiling policy
checkmodule -M -m -o privoxy.mod privoxy.te
semodule_package -o privoxy.pp -m privoxy.mod

******************** IMPORTANT ***********************

In order to load this newly created policy package into the kernel,
you are required to execute

semodule -i privoxy.pp


[root at alcibiades ~]# semodule -i privoxy.pp

The denial messages were different, but still no cigar:

type=AVC msg=audit(1145284191.527:141): avc:  denied  { recv_msg } for
saddr=209.233.191.3 src=8080 daddr=192.168.0.5 dest=37465 netif=eth1
scontext=system_u:system_r:privoxy_t:s0
tcontext=system_u:object_r:privoxy_t:s0 tclass=tcp_socket

I then repeated the audit2allow and semodule commands and this time it
works.

HOWEVER, after I posted the initial message, I realized that all I had
to do was bypass Privoxy for the library's domain in my browser
settings.  So perhaps it isn't really necessary to mess with the policy.

--
Joel

More information about the fedora-selinux-list mailing list