httpd fails to start with latest policy
Bob Kashani
bobk at ocf.berkeley.edu
Fri Jun 17 23:15:20 UTC 2005
On Fri, 2005-06-17 at 13:26 -0400, Stephen Smalley wrote:
> On Fri, 2005-06-17 at 10:14 -0700, Bob Kashani wrote:
> > httpd fails to start with the latest FC3 policy.
> >
> > selinux-policy-targeted-1.17.30-3.9
> >
> > Here is the AVC message:
> >
> > Jun 17 10:04:48 sorcerer kernel: audit(1119027888.944:0): avc: denied
> > { name_bind } for pid=3265 exe=/usr/sbin/httpd src=2121
> > scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:port_t
> > tclass=tcp_socket
> > Jun 17 10:04:48 sorcerer httpd: (13)Permission denied: make_sock: could
> > not bind to address [::]:2121
> > Jun 17 10:04:48 sorcerer httpd: no listening sockets available, shutting
> > down
> > Jun 17 10:04:48 sorcerer httpd: Unable to open logs
> > Jun 17 10:04:48 sorcerer httpd: httpd startup failed
> >
> > I normally use port 80 and 2121. How do I fix this?
>
> As a workaround, you can add a definition for 2121
> to /etc/selinux/targeted/src/policy/net_contexts, likewise mapping it to
> http_port_t, e.g.
> portcon tcp 2121 system_u:object_r:http_port_t
>
> Naturally, that won't survive updates. There isn't presently a clean
> way to do local customization of network-related contexts, but that is
> planned (but isn't likely to be included until FC5).
>
> Alternative is to let httpd bind to any non-reserved port at all, i.e.
> allow httpd_t port_t:tcp_socket name_bind;
> in /etc/selinux/targeted/src/policy/domains/misc/local.te (or any name
> not used by the policy package), which would survive updates.
Thanks, Stephen, it worked. I ended up using the local.te method so that
an upgrade won't whack my web server again. :)
Also, is this behavior the same in FC4? My desktop is currently running
FC4 and I'm going to upgrade my home server soon to FC4, so I was just
wondering.
Bob
--
Bob Kashani
http://www.ocf.berkeley.edu/~bobk/garnome
More information about the fedora-selinux-list
mailing list