Nother selinux denial to be dealt with.

Daniel J Walsh dwalsh at redhat.com
Thu Jan 24 15:25:52 UTC 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gene Heskett wrote:
> Greetings;
> 
> Verizon makes life a bitch by violating common carrier rules when the block 
> port 80 to keep their customers from running a web server.  But port 85 
> appears to be an unassigned port, and I have successfully used it to test when 
> selinux, privoxy and squid were not running.  Now they are, and an attempted 
> connect to http://gene.homelinux.net:85 now gets a 503 cuz selinux denies it.
> 
> As saved from setroubleshooter:
> =================
> Summary:
> 
> SELinux is preventing the privoxy(/usr/sbin/privoxy) (privoxy_t) from connecting
> to port 85.
> 
> Detailed Description:
> 
> SELinux has denied the privoxy(/usr/sbin/privoxy) from connecting to a network
> port 85 which does not have an SELinux type associated with it. If
> privoxy(/usr/sbin/privoxy) is supposed to be allowed to connect on this port,
> you can use the semanage command to add this port to a port type that privoxy_t
> can connect to. semanage port -L will list all port types. Please file a bug
> report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the
> selinux-policy package. If privoxy(/usr/sbin/privoxy) is not supposed to bind to
> this port, this could signal a intrusion attempt.
> 
> Allowing Access:
> 
> If you want to allow privoxy(/usr/sbin/privoxy) to connect to this port semanage
> port -a -t PORT_TYPE -p PROTOCOL 85 Where PORT_TYPE is a type that privoxy_t can
> connect.
> 
> Additional Information:
> 
> Source Context                system_u:system_r:privoxy_t:s0
> Target Context                system_u:object_r:reserved_port_t:s0
> Target Objects                None [ tcp_socket ]
> Source                        privoxy(/usr/sbin/privoxy)
> Port                          85
> Host                          coyote.coyote.den
> Source RPM Packages           
> Target RPM Packages           
> Policy RPM                    selinux-policy-3.0.8-76.fc8
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   connect_ports
> Host Name                     coyote.coyote.den
> Platform                      Linux coyote.coyote.den 2.6.24-rc8 #2 SMP Wed Jan
>                               16 22:47:57 EST 2008 i686 athlon
> Alert Count                   4
> First Seen                    Tue 22 Jan 2008 10:10:07 AM EST
> Last Seen                     Tue 22 Jan 2008 10:11:16 AM EST
> Local ID                      748d1fcf-28fe-4b1b-87c3-40a0b272393d
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> host=coyote.coyote.den type=AVC msg=audit(1201014676.609:434): avc:  denied  { name_connect } for  pid=14357 
> comm="privoxy" dest=85 scontext=system_u:system_r:privoxy_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 
> tclass=tcp_socket
> 
> host=coyote.coyote.den type=SYSCALL msg=audit(1201014676.609:434): arch=40000003 syscall=102 success=no exit=-13 a0=3 
> a1=b67366e0 a2=b6736798 a3=0 items=0 ppid=1 pid=14357 auid=4294967295 uid=73 gid=73 euid=73 suid=73 fsuid=73 egid=73 
> sgid=73 fsgid=73 tty=(none) comm="privoxy" exe="/usr/sbin/privoxy" subj=system_u:system_r:privoxy_t:s0 key=(null)
> 
> ==================
> What can I do to allow this?  The above isn't precise enough for me to go stumbling around.
> 
> 2nd, do these mailing lists echo each other?  If so, sorry about hitting both.
> 
The best way to handle this is to define port 85 as an http_port_t, this
way all domains that can use http_port_t will gain access.

semanage port -a -t http_port_t -p tcp 85


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkeYrf8ACgkQrlYvE4MpobNfywCeKO39DQKjtgoLPgyGrp2LkRk4
1u0AoJxex/fafIhBW/vuKSwrCNmHQv5R
=W6Wm
-----END PGP SIGNATURE-----




More information about the fedora-selinux-list mailing list