Bug 426767
| Summary: | selinux problems running mythweb | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Need Real Name <bugzilla> |
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 8 | CC: | axel.thimm |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.0.8-57.fc8 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-01-15 19:02:08 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
You can turn on the boolean setsebool -P httpd_can_network_connect=1 To allow apache to connect to ports. You can update policy for hostname by executing the following. # audit2allow -M mypol -i /var/log/audit/audit.log # semodule -i mypol.pp I will fix policy for hostname in selinux-policy-3.0.8-73.fc8 |
I am using the ATrpms mythweb package from the mythtv suite. If you are not familiar with it, mythweb is basically a web browser that allows you to remotely control many aspects of mythtv over the web. Mythtweb needs to connect to mythbackend (default on port 6543) and also somewhere needs to run the command 'hostname' Both of these actions are creating selinux errors as follows: SELinux is preventing the http daemon from connecting to network port 6543 Detailed Description SELinux has denied the http daemon from connecting to 6543. An httpd script is trying to do a network connect to a remote port. If you did not setup httpd to network connections, this could signal a intrusion attempt. avc: denied { name_connect } for comm=httpd dest=6543 egid=48 euid=48 exe=/usr/sbin/httpd exit=-13 fsgid=48 fsuid=48 gid=48 items=0 pid=2757 scontext=system_u:system_r:httpd_t:s0 sgid=48 subj=system_u:system_r:httpd_t:s0 suid=48 tclass=tcp_socket tcontext=system_u:object_r:port_t:s0 tty=(none) uid=48 Summary SELinux is preventing the sh from using potentially mislabeled files /bin/hostname (hostname_exec_t). Detailed Description SELinux has denied the sh access to potentially mislabeled files /bin/hostname. This means that SELinux will not allow httpd to use these files. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access. avc: denied { getattr } for comm=sh dev=sda7 egid=48 euid=48 exe=/bin/bash exit=-13 fsgid=48 fsuid=48 gid=48 items=0 path=/bin/hostname pid=5186 scontext=system_u:system_r:httpd_t:s0 sgid=48 subj=system_u:system_r:httpd_t:s0 suid=48 tclass=file tcontext=system_u:object_r:hostname_exec_t:s0 tty=(none) uid=48 Is this something that you can fix in the targeted policy or is it something that the mythtv packager should fix? (I am cc'ing Axel here)