Problems with httpd and SElinux.

[Daniel J Walsh]

Daniel B. Thurman wrote:
> Folks,
>
> I was asked to post this information here.  To explain things,
> I have installed FrontPage extensions on FC4 but not realizing
> that I had to first disable SElinux for httpd first, but to make
> a long story short, I was able to install FP and then restore
> SElinux protections for httpd, but on reboot, SElinux refused
> to allow httpd to start and I suspect it had something to do
> with the FrontPage additions to the /etc/httpd/conf/httpd.conf
> file.  I currently have SElinux protections turned off for
> https. Below is the audit file, hope it helps show the problem.
>
> type=AVC msg=audit(1131056930.757:251): avc:  denied  { name_bind } for  pid=4946 comm="httpd" src=8090 scontext=root:system_r:httpd_t tcontext=system_u:object_r:port_t tclass=tcp_socket
> type=SYSCALL msg=audit(1131056930.757:251): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfc779f0 a2=750218 a3=8b8da58 items=0 pid=4946 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="httpd" exe="/usr/sbin/httpd"
> type=SOCKADDR msg=audit(1131056930.757:251): saddr=0A001F9A000000000000000000000000000000000000000000000000
> type=SOCKETCALL msg=audit(1131056930.757:251): nargs=3 a0=5 a1=8b8da84 a2=1c
>
> Kind regards,
> Dan
>
>   
We do not currently allow apache to listen on port 8090, but this looks 
legitimate, so I will add to policy.
You can install policy (selinux-policy-targeted-sources for now and add 
a line to
/etc/selinux/targeted/src/policy/domains/misc/local.te
portcon tcp 8090  system_u:object_r:http_port_t

Then execute make -c /etc/selinux/targeted/src/policy load

and you should be able to use that port.

 



--