Bug 121068

Summary: Connection refused attempt to contact http server
Product: [Fedora] Fedora Reporter: Gene Czarcinski <gczarcinski>
Component: policyAssignee: Colin Walters <walters>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: pgraner
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-04-20 07:52:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 114961    

Description Gene Czarcinski 2004-04-16 19:14:02 UTC 
Description of problem:

I started httpd (configured as distributed).  I then attempted to
contact it from another system.

start httpd when enforcing=0 ... works

start httpd when enforcing=1 ... connection refused.


policy=1.11.2-8

Here are the messages from /var/log/messages:

Apr 16 15:02:24 chaos httpd: httpd shutdown succeeded
Apr 16 15:02:31 chaos kernel: audit(1082142151.511:0): avc:  granted 
{ setenforce } for  pid=25782 exe=/usr/bin/setenforce
scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:security_t
tclass=security
Apr 16 15:02:36 chaos httpd: httpd startup succeeded
Apr 16 15:02:36 chaos kernel: audit(1082142156.772:0): avc:  denied  {
write } for  pid=25796 exe=/usr/sbin/httpd name=jk2.shm dev=hda7
ino=1056042 scontext=root:system_r:httpd_t
tcontext=root:object_r:httpd_log_t tclass=file
Apr 16 15:02:36 chaos kernel: audit(1082142156.996:0): avc:  denied  {
write } for  pid=25796 exe=/usr/sbin/httpd name=.index dev=hda7
ino=868025 scontext=root:system_r:httpd_t tcontext=root:object_r:usr_t
tclass=file
 
 
After applying policy=1.11.2-8
 
Apr 16 15:13:19 chaos kernel: audit(1082142799.863:0): avc:  granted 
{ setenforce } for  pid=26215 exe=/usr/bin/setenforce
scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:security_t
tclass=security
Apr 16 15:13:22 chaos kernel: audit(1082142802.703:0): avc:  granted 
{ setenforce } for  pid=26217 exe=/usr/bin/setenforce
scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:security_t
tclass=security
Apr 16 15:13:36 chaos httpd: httpd startup succeeded
Apr 16 15:13:36 chaos kernel: audit(1082142816.393:0): avc:  denied  {
write } for  pid=26233 exe=/usr/sbin/httpd name=jk2.shm dev=hda7
ino=1056042 scontext=root:system_r:httpd_t
tcontext=root:object_r:httpd_log_t tclass=file
Apr 16 15:13:36 chaos kernel: audit(1082142816.622:0): avc:  denied  {
write } for  pid=26233 exe=/usr/sbin/httpd name=.index dev=hda7
ino=868025 scontext=root:system_r:httpd_t tcontext=root:object_r:usr_t
tclass=file
Comment 1 Colin Walters 2004-04-16 22:49:46 UTC 
I can reproduce this.  When I do an enableaudit policy build, I can
see denials like:

audit(1082155901.061:0): avc:  denied  { read write } for  pid=4124
exe=/usr/sbin/httpd path=/dev/pts/9 dev= ino=11
scontext=root:system_r:httpd_t tcontext=root:object_r:sysadm_devpts_t
tclass=chr_file

If I allow this, Apache starts up correctly.  Investigating more...
Comment 2 Colin Walters 2004-04-16 23:26:02 UTC 
Hm, it appears to be getting an error deep in APR.  I wonder if this
has something to do with the kernel closing fds 0-2 again.
Comment 3 Colin Walters 2004-04-19 15:12:45 UTC 
Now I can't reproduce this anymore.  I couldn't on my laptop in the
first place, and after a yum upgrade and a reboot on my desktop, the
issue is gone there as well.   The only thing I can think of is that
maybe some of the recent networking changes in the policy require a
reboot to have the sockets correctly labeled.

Gene, can you try upgrading to the latest rawhide and/or rebooting
your system?  Can you reproduce this 100% still?
Comment 4 Gene Czarcinski 2004-04-20 07:52:37 UTC 
Still getting some avc: denied messages but I can now start and get
connected when enforcing=1.  Whetever the problem was, it is now fixed.

policy=1.11.2-9

closing