Description of problem: I started httpd (configured as distributed). I then attempted to contact it from another system. start httpd when enforcing=0 ... works start httpd when enforcing=1 ... connection refused. policy=1.11.2-8 Here are the messages from /var/log/messages: Apr 16 15:02:24 chaos httpd: httpd shutdown succeeded Apr 16 15:02:31 chaos kernel: audit(1082142151.511:0): avc: granted { setenforce } for pid=25782 exe=/usr/bin/setenforce scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:security_t tclass=security Apr 16 15:02:36 chaos httpd: httpd startup succeeded Apr 16 15:02:36 chaos kernel: audit(1082142156.772:0): avc: denied { write } for pid=25796 exe=/usr/sbin/httpd name=jk2.shm dev=hda7 ino=1056042 scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_log_t tclass=file Apr 16 15:02:36 chaos kernel: audit(1082142156.996:0): avc: denied { write } for pid=25796 exe=/usr/sbin/httpd name=.index dev=hda7 ino=868025 scontext=root:system_r:httpd_t tcontext=root:object_r:usr_t tclass=file After applying policy=1.11.2-8 Apr 16 15:13:19 chaos kernel: audit(1082142799.863:0): avc: granted { setenforce } for pid=26215 exe=/usr/bin/setenforce scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:security_t tclass=security Apr 16 15:13:22 chaos kernel: audit(1082142802.703:0): avc: granted { setenforce } for pid=26217 exe=/usr/bin/setenforce scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:security_t tclass=security Apr 16 15:13:36 chaos httpd: httpd startup succeeded Apr 16 15:13:36 chaos kernel: audit(1082142816.393:0): avc: denied { write } for pid=26233 exe=/usr/sbin/httpd name=jk2.shm dev=hda7 ino=1056042 scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_log_t tclass=file Apr 16 15:13:36 chaos kernel: audit(1082142816.622:0): avc: denied { write } for pid=26233 exe=/usr/sbin/httpd name=.index dev=hda7 ino=868025 scontext=root:system_r:httpd_t tcontext=root:object_r:usr_t tclass=file
I can reproduce this. When I do an enableaudit policy build, I can see denials like: audit(1082155901.061:0): avc: denied { read write } for pid=4124 exe=/usr/sbin/httpd path=/dev/pts/9 dev= ino=11 scontext=root:system_r:httpd_t tcontext=root:object_r:sysadm_devpts_t tclass=chr_file If I allow this, Apache starts up correctly. Investigating more...
Hm, it appears to be getting an error deep in APR. I wonder if this has something to do with the kernel closing fds 0-2 again.
Now I can't reproduce this anymore. I couldn't on my laptop in the first place, and after a yum upgrade and a reboot on my desktop, the issue is gone there as well. The only thing I can think of is that maybe some of the recent networking changes in the policy require a reboot to have the sockets correctly labeled. Gene, can you try upgrading to the latest rawhide and/or rebooting your system? Can you reproduce this 100% still?
Still getting some avc: denied messages but I can now start and get connected when enforcing=1. Whetever the problem was, it is now fixed. policy=1.11.2-9 closing