Privoxy and Port 8080
Joel Gomberg
obligor11-fedora at yahoo.com
Mon Apr 17 17:13:44 UTC 2006
Daniel J Walsh wrote:
> Joel Gomberg wrote:
>> I originally posted this message to the fedora users list. It was
>> suggested that I might have better luck here.
>>
>> SELinux is blocking privoxy's access to my public library's online
>> catalog:
>>
>> http://oaklandlibrary.org:8080/ipac20/ipac.jsp?profile=#focus
>>
>> SELinux denies access. With setenforce=0, access is permitted, so I'm
>> sure it's a SELinux issue. After perusing the SELinux FAQ, I issued
>> this command:
>>
>> semanage port -a -p tcp -t http_port_t 8080.
>>
>> The response was that port 8080 was already defined.
>>
>> The denial message is:
>>
>> type=AVC msg=audit(1145058006.474:1026): avc: denied { name_connect }
>> for pid=13185 comm="privoxy" dest=8080
>> scontext=system_u:system_r:privoxy_t:s0
>>
>> I received a suggestion to issue this command:
>>
>> semanage port -m -p tcp -t privoxy_t 8080
>>
>> This changed the denial message slightly:
>>
>> type=AVC msg=audit(1145112509.543:104): avc: denied { name_connect }
>> for pid=4137 comm="privoxy" dest=8080
>> scontext=system_u:system_r:privoxy_t:s0
>> tcontext=system_u:object_r:privoxy_t:s0 tclass=tcp_socket
>>
>> I then issued these commands:
>>
>> [root at alcibiades ~]# setenforce 0
>> [root at alcibiades ~]# audit2allow -i /var/log/audit/audit.log
>>
>> and received this output [relevant to Privoxy]:
>>
>> allow privoxy_t http_cache_port_t:tcp_socket name_connect;
>> allow privoxy_t self:tcp_socket name_connect;
>>
>> I don't know how to proceed from here.
> Try
>
> audit2allow -M privoxy -i /var/log/audit/audit.log
> semodule -i privoxy.pp
>
> This will greate a modular policy that will add these rules to your
> machine.
>
> I will change policy to allow privoxy to connect to port 8080
Apparently, it was a bit more complex than that:
audit2allow -M privoxy -i /var/log/audit/audit.log
Generating type enforcment file: privoxy.te
Compiling policy
checkmodule -M -m -o privoxy.mod privoxy.te
semodule_package -o privoxy.pp -m privoxy.mod
******************** IMPORTANT ***********************
In order to load this newly created policy package into the kernel,
you are required to execute
semodule -i privoxy.pp
[root at alcibiades ~]# semodule -i privoxy.pp
The denial messages were different, but still no cigar:
type=AVC msg=audit(1145284191.527:141): avc: denied { recv_msg } for
saddr=209.233.191.3 src=8080 daddr=192.168.0.5 dest=37465 netif=eth1
scontext=system_u:system_r:privoxy_t:s0
tcontext=system_u:object_r:privoxy_t:s0 tclass=tcp_socket
I then repeated the audit2allow and semodule commands and this time it
works.
HOWEVER, after I posted the initial message, I realized that all I had
to do was bypass Privoxy for the library's domain in my browser
settings. So perhaps it isn't really necessary to mess with the policy.
--
Joel
More information about the fedora-selinux-list
mailing list