Bug 121068 - Connection refused attempt to contact http server
Summary: Connection refused attempt to contact http server
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: policy (Show other bugs)
(Show other bugs)
Version: rawhide
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Colin Walters
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: FC2Blocker
TreeView+ depends on / blocked
 
Reported: 2004-04-16 19:14 UTC by Gene Czarcinski
Modified: 2007-11-30 22:10 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-04-20 07:52:37 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Gene Czarcinski 2004-04-16 19:14:02 UTC
Description of problem:

I started httpd (configured as distributed).  I then attempted to
contact it from another system.

start httpd when enforcing=0 ... works

start httpd when enforcing=1 ... connection refused.


policy=1.11.2-8

Here are the messages from /var/log/messages:

Apr 16 15:02:24 chaos httpd: httpd shutdown succeeded
Apr 16 15:02:31 chaos kernel: audit(1082142151.511:0): avc:  granted 
{ setenforce } for  pid=25782 exe=/usr/bin/setenforce
scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:security_t
tclass=security
Apr 16 15:02:36 chaos httpd: httpd startup succeeded
Apr 16 15:02:36 chaos kernel: audit(1082142156.772:0): avc:  denied  {
write } for  pid=25796 exe=/usr/sbin/httpd name=jk2.shm dev=hda7
ino=1056042 scontext=root:system_r:httpd_t
tcontext=root:object_r:httpd_log_t tclass=file
Apr 16 15:02:36 chaos kernel: audit(1082142156.996:0): avc:  denied  {
write } for  pid=25796 exe=/usr/sbin/httpd name=.index dev=hda7
ino=868025 scontext=root:system_r:httpd_t tcontext=root:object_r:usr_t
tclass=file
 
 
After applying policy=1.11.2-8
 
Apr 16 15:13:19 chaos kernel: audit(1082142799.863:0): avc:  granted 
{ setenforce } for  pid=26215 exe=/usr/bin/setenforce
scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:security_t
tclass=security
Apr 16 15:13:22 chaos kernel: audit(1082142802.703:0): avc:  granted 
{ setenforce } for  pid=26217 exe=/usr/bin/setenforce
scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:security_t
tclass=security
Apr 16 15:13:36 chaos httpd: httpd startup succeeded
Apr 16 15:13:36 chaos kernel: audit(1082142816.393:0): avc:  denied  {
write } for  pid=26233 exe=/usr/sbin/httpd name=jk2.shm dev=hda7
ino=1056042 scontext=root:system_r:httpd_t
tcontext=root:object_r:httpd_log_t tclass=file
Apr 16 15:13:36 chaos kernel: audit(1082142816.622:0): avc:  denied  {
write } for  pid=26233 exe=/usr/sbin/httpd name=.index dev=hda7
ino=868025 scontext=root:system_r:httpd_t tcontext=root:object_r:usr_t
tclass=file

Comment 1 Colin Walters 2004-04-16 22:49:46 UTC
I can reproduce this.  When I do an enableaudit policy build, I can
see denials like:

audit(1082155901.061:0): avc:  denied  { read write } for  pid=4124
exe=/usr/sbin/httpd path=/dev/pts/9 dev= ino=11
scontext=root:system_r:httpd_t tcontext=root:object_r:sysadm_devpts_t
tclass=chr_file

If I allow this, Apache starts up correctly.  Investigating more...

Comment 2 Colin Walters 2004-04-16 23:26:02 UTC
Hm, it appears to be getting an error deep in APR.  I wonder if this
has something to do with the kernel closing fds 0-2 again.

Comment 3 Colin Walters 2004-04-19 15:12:45 UTC
Now I can't reproduce this anymore.  I couldn't on my laptop in the
first place, and after a yum upgrade and a reboot on my desktop, the
issue is gone there as well.   The only thing I can think of is that
maybe some of the recent networking changes in the policy require a
reboot to have the sockets correctly labeled.

Gene, can you try upgrading to the latest rawhide and/or rebooting
your system?  Can you reproduce this 100% still?  


Comment 4 Gene Czarcinski 2004-04-20 07:52:37 UTC
Still getting some avc: denied messages but I can now start and get
connected when enforcing=1.  Whetever the problem was, it is now fixed.

policy=1.11.2-9

closing


Note You need to log in before you can comment on or make changes to this bug.