httpd and tcp_connect
Wart
wart at kobold.org
Sun Jan 21 19:24:14 UTC 2007
I'm receiving the following avc denial from a game package that's under
review[1]:
Jan 21 10:55:49 localhost kernel: audit(1169405749.338:3): avc: denied
{ name_connect } for pid=2661 comm="httpd" dest=19382
scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0
tclass=tcp_socket
The package includes a php-based web application and a python daemon
backend. The php webapp communicates with the python daemon through tcp
sockets.
From the avc denial it appears that this communication fails because
httpd is not allowed to establish tcp connections. This seems like a
valid security restriction, except in this case I do want to allow it.
How can I configure the httpd policy to allow tcp connections, but only
to localhost and only on the python daemon's ports (19380-19383)?
--Wart
[1] https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=219972
More information about the fedora-selinux-list
mailing list