Bug 167587

Summary: When httpd is configured to listen on a port other than 80 or 8080 the service failes to start.
Product: [Fedora] Fedora Reporter: Dave <d.h.hartman>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: medium    
Version: 4CC: sundaram
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-09-05 23:52:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dave 2005-09-05 23:36:01 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6

Description of problem:
When I changed the httpd.conf configuration to listen on a port other than 80 or 8080  (for example I used 750) the service failed to start.  I confirmed the syntax of the httpd.conf file was correct using apachectl... also it ran fine when starting the program from the command line.  I was able to fall back to the fedora core 2 init.d/httpd script and it worked successfully.  Thanks.

Version-Release number of selected component (if applicable):
httpd-2.0.54-10.1

How reproducible:
Always

Steps to Reproduce:
1.change port number in the /etc/httpd/conf/httpd.conf file to something other than 80 or 8080.
2.Restart the service.  It should fail to load.
3.
  

Actual Results:  The service failed to start.

Expected Results:  Program should have loaded listening on the other port.

Additional info:
Comment 1 Rahul Sundaram 2005-09-05 23:52:45 UTC 

This is not a bug.

Fedora Core 4 is configured to use SELinux targeted policy by default which
protects Apache from connecting to other ports.  You need to enable the SELinux
Apache boolean, httpd_can_network_connec=1  in /etc/selinux/targeted/booleans
file and reboot the system or use system-config-securitylevel tool to set this. 

For more information about SELinux see the following documents which applies to
FC4 also.

http://fedora.redhat.com/docs/selinux-faq-fc3/
http://fedora.redhat.com/docs/selinux-apache-fc3/

If you require further help on this, feel free to post to the fedora-selinux list

http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Comment 2 Karsten Wade 2005-09-06 00:04:33 UTC 
Instead of rebooting, do this:

setsebool httpd_can_network_connec 1

That changes the boolean in runtime.

Also change the Boolean in /etc/selinux/targeted/booleans, as from Comment #1,
so that the change is picked up on next boot.

Just in case, it's worth confirming that your initscript has the correct SELinux
label:

ls -Z /etc/init.d/httpd
-rwxr-xr-x  root     root     system_u:object_r:initrc_exec_t  /etc/init.d/httpd

This is on FC3.  The key is the type of initrc_exec_t.  If the type is
different, you can run 'restorecon /etc/init.d/httpd'.
Comment 3 Karsten Wade 2005-09-06 00:06:54 UTC 
Oops, Rahul and I both chopped a 't' off the Boolean:

setsebool httpd_can_network_connect 1
Comment 4 Daniel Walsh 2005-09-06 21:01:30 UTC 
setsebool -P httpd_can_network_connect 1

will make it permanant, ie change the running machine and add an entry to the
booleans file.