Bug 546785
| Summary: | SELinux is preventing /usr/sbin/httpd from connecting to port 25151. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Steve Traylen <steve.traylen> |
| Component: | cobbler | Assignee: | John Eckersberg <jeckersb> |
| Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 12 | CC: | awood, cristian.ciupitu, dgoodwin, dwalsh, jeckersb, mgrepl, rajdave19, vanmeeuwen+fedora |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:8f864c28b32d9eafe645c412fac1cd60d7b84a516cb56ca4877c61f11b6b0e13 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-12-04 01:47:20 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Steve Traylen
2009-12-11 22:54:11 UTC
You have changed the default way apache runs, so you need to tell SELinux about it.
If you want to change the ports the apache can connect to you can add this port to http_port_t
semanage port -a -t http_port_t -p tcp 25151
Running the avc through audit2allow it also shows booleans you could set.
# audit2allow -wi /tmp/t
node=(removed) type=AVC msg=audit(1260570524.282:45502): avc: denied { name_connect } for pid=7962 comm="httpd" dest=25151 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
Was caused by:
One of the following booleans was set incorrectly.
Description:
Allow system to run with NIS
Allow access by executing:
# setsebool -P allow_ypbind 1
Description:
Allow HTTPD scripts and modules to connect to the network using TCP.
Allow access by executing:
# setsebool -P httpd_can_network_connect 1
I am meant to do this or it is meant to be added as policy within the RPMS. Sure I can add it for now but for the future are these not meant to just installed with the packages? i.e this is for cobbler itself to add in a cobbler-selinux package or something? Remember I only reported since the "automatic bug reporting" tool suggested that I did. Steve Well If cobbler needs to setup apache to connect to port 25151 then maybe it should do it. I am not going to setup every apache site in the world to connect to this port. I would prefer that apache be setup to not be allowed to connect to any port by default and the administrator decide on which ports it can connect. This would potentially prevent apache worms. The goal with SELinux is to be as secure as possible by default, and have little admin. Maybe the init script of the cobbler startup could check the port is defined and then define it if it in not defined. This would only define it if some one actually turned on cobbler. Hi Daniel, Yes agreed its the responsibility of the cobbler package though I think the method is to have a cobbler-selinux package the same as say: The bug was auto-assigned to the selinux policy package , it should have never have gone there. # rpm -pql pure-ftpd-selinux-1.0.22-4.fc12.x86_64.rpm /usr/share/doc/pure-ftpd-selinux-1.0.22 /usr/share/doc/pure-ftpd-selinux-1.0.22/README.SELinux /usr/share/selinux/packages/pure-ftpd/pureftpd.pp that contains some policy that is loaded automatically. Steve My only concern is the mere adding of the cobbler package does not indicate you are going to use it. So if the cobbler package adds the port, apache will suddenly be able to connect. Adding a policy for cobbler would be good, and I think this is being worked on. This message is a reminder that Fedora 12 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 12. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '12'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 12's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 12 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping Fedora 12 changed to end-of-life (EOL) status on 2010-12-02. Fedora 12 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed. I have installed and configured cobbler and required setting as per the following link, http://centoshowtos.org/installation/kickstart-cobbler-on-centos-server/ and i too get the following error.. Can Anyone help?? [root@puppetserver puppet]# cobbler status httpd does not appear to be running and proxying cobbler, or SELinux is in the way. Original traceback: Traceback (most recent call last): File "/usr/lib/python2.6/site-packages/cobbler/cli.py", line 184, in check_setup s.ping() File "/usr/lib64/python2.6/xmlrpclib.py", line 1199, in __call__ return self.__send(self.__name, args) File "/usr/lib64/python2.6/xmlrpclib.py", line 1489, in __request verbose=self.__verbose File "/usr/lib64/python2.6/xmlrpclib.py", line 1235, in request self.send_content(h, request_body) File "/usr/lib64/python2.6/xmlrpclib.py", line 1349, in send_content connection.endheaders() File "/usr/lib64/python2.6/httplib.py", line 908, in endheaders self._send_output() File "/usr/lib64/python2.6/httplib.py", line 780, in _send_output self.send(msg) File "/usr/lib64/python2.6/httplib.py", line 739, in send self.connect() File "/usr/lib64/python2.6/httplib.py", line 720, in connect self.timeout) File "/usr/lib64/python2.6/socket.py", line 553, in create_connection for res in getaddrinfo(host, port, 0, SOCK_STREAM): gaierror: [Errno -2] Name or service not known (In reply to comment #8) This bug report is for Fedora, not for CentOS. Also your issue doesn't look similar to the one reported here. Last, but not least, this is not a support forum. If you're having issues with cobbler have a look at http://www.cobblerd.org/community.html |