Bug 509707

Summary: setroubleshoot: SELinux is preventing httpd (httpd_t) "name_bind" transproxy_port_t.
Product: [Fedora] Fedora Reporter: Nicolas Mailhot <nicolas.mailhot>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: dwalsh, jorton, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:483d4f7551f756c936b854266a8c2015ae498449d67e198c963c9d99f63608c5
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-10-20 21:52:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nicolas Mailhot 2009-07-05 12:09:58 UTC 
The following was filed automatically by setroubleshoot:

Résumé:

SELinux is preventing httpd (httpd_t) "name_bind" transproxy_port_t.

Description détaillée:

SELinux denied access requested by httpd. It is not expected that this access is
required by httpd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Autoriser l'accès:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Informations complémentaires:

Contexte source               unconfined_u:system_r:httpd_t:s0
Contexte cible                system_u:object_r:transproxy_port_t:s0
Objets du contexte            None [ tcp_socket ]
source                        httpd
Chemin de la source           /usr/sbin/httpd
Port                          8081
Hôte                         (removed)
Paquetages RPM source         httpd-2.2.11-9
Paquetages RPM cible          
Politique RPM                 selinux-policy-3.6.20-2.fc12
Selinux activé               True
Type de politique             targeted
MLS activé                   True
Mode strict                   Enforcing
Nom du plugin                 catchall
Nom de l'hôte                (removed)
Plateforme                    Linux (removed) 2.6.31-0.42.rc2.fc12.x86_64 #1 SMP
                              Sat Jul 4 20:49:29 EDT 2009 x86_64 x86_64
Compteur d'alertes            3
Première alerte              dim. 05 juil. 2009 13:57:14 CEST
Dernière alerte              dim. 05 juil. 2009 14:02:41 CEST
ID local                      fe603b18-2d4c-4239-b781-3d4f78fd934a
Numéros des lignes           

Messages d'audit bruts        

node=(removed) type=AVC msg=audit(1246795361.888:31248): avc:  denied  { name_bind } for  pid=3668 comm="httpd" src=8081 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:transproxy_port_t:s0 tclass=tcp_socket

node=(removed) type=SYSCALL msg=audit(1246795361.888:31248): arch=c000003e syscall=49 success=yes exit=0 a0=6 a1=7fb23e213bb0 a2=10 a3=7fff5e8db54c items=0 ppid=3667 pid=3668 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)


audit2allow suggests:

#============= httpd_t ==============
allow httpd_t transproxy_port_t:tcp_socket name_bind;
Comment 1 Nicolas Mailhot 2009-07-05 12:11:01 UTC 
Apache can be used as proxy via mod_proxy so this is a legitimate bind
Comment 2 Daniel Walsh 2009-07-06 02:00:05 UTC 
Would you consider this should be allowed by httpd_can_network_relay?  Or is this just a random port that you can proxy through httpd?