Bug 121068 - Connection refused attempt to contact http server
Connection refused attempt to contact http server
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: policy (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Colin Walters
:
Depends On:
Blocks: FC2Blocker
  Show dependency treegraph
 
Reported: 2004-04-16 15:14 EDT by Gene Czarcinski
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-04-20 03:52:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Gene Czarcinski 2004-04-16 15:14:02 EDT
Description of problem:

I started httpd (configured as distributed).  I then attempted to
contact it from another system.

start httpd when enforcing=0 ... works

start httpd when enforcing=1 ... connection refused.


policy=1.11.2-8

Here are the messages from /var/log/messages:

Apr 16 15:02:24 chaos httpd: httpd shutdown succeeded
Apr 16 15:02:31 chaos kernel: audit(1082142151.511:0): avc:  granted 
{ setenforce } for  pid=25782 exe=/usr/bin/setenforce
scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:security_t
tclass=security
Apr 16 15:02:36 chaos httpd: httpd startup succeeded
Apr 16 15:02:36 chaos kernel: audit(1082142156.772:0): avc:  denied  {
write } for  pid=25796 exe=/usr/sbin/httpd name=jk2.shm dev=hda7
ino=1056042 scontext=root:system_r:httpd_t
tcontext=root:object_r:httpd_log_t tclass=file
Apr 16 15:02:36 chaos kernel: audit(1082142156.996:0): avc:  denied  {
write } for  pid=25796 exe=/usr/sbin/httpd name=.index dev=hda7
ino=868025 scontext=root:system_r:httpd_t tcontext=root:object_r:usr_t
tclass=file
 
 
After applying policy=1.11.2-8
 
Apr 16 15:13:19 chaos kernel: audit(1082142799.863:0): avc:  granted 
{ setenforce } for  pid=26215 exe=/usr/bin/setenforce
scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:security_t
tclass=security
Apr 16 15:13:22 chaos kernel: audit(1082142802.703:0): avc:  granted 
{ setenforce } for  pid=26217 exe=/usr/bin/setenforce
scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:security_t
tclass=security
Apr 16 15:13:36 chaos httpd: httpd startup succeeded
Apr 16 15:13:36 chaos kernel: audit(1082142816.393:0): avc:  denied  {
write } for  pid=26233 exe=/usr/sbin/httpd name=jk2.shm dev=hda7
ino=1056042 scontext=root:system_r:httpd_t
tcontext=root:object_r:httpd_log_t tclass=file
Apr 16 15:13:36 chaos kernel: audit(1082142816.622:0): avc:  denied  {
write } for  pid=26233 exe=/usr/sbin/httpd name=.index dev=hda7
ino=868025 scontext=root:system_r:httpd_t tcontext=root:object_r:usr_t
tclass=file
Comment 1 Colin Walters 2004-04-16 18:49:46 EDT
I can reproduce this.  When I do an enableaudit policy build, I can
see denials like:

audit(1082155901.061:0): avc:  denied  { read write } for  pid=4124
exe=/usr/sbin/httpd path=/dev/pts/9 dev= ino=11
scontext=root:system_r:httpd_t tcontext=root:object_r:sysadm_devpts_t
tclass=chr_file

If I allow this, Apache starts up correctly.  Investigating more...
Comment 2 Colin Walters 2004-04-16 19:26:02 EDT
Hm, it appears to be getting an error deep in APR.  I wonder if this
has something to do with the kernel closing fds 0-2 again.
Comment 3 Colin Walters 2004-04-19 11:12:45 EDT
Now I can't reproduce this anymore.  I couldn't on my laptop in the
first place, and after a yum upgrade and a reboot on my desktop, the
issue is gone there as well.   The only thing I can think of is that
maybe some of the recent networking changes in the policy require a
reboot to have the sockets correctly labeled.

Gene, can you try upgrading to the latest rawhide and/or rebooting
your system?  Can you reproduce this 100% still?  
Comment 4 Gene Czarcinski 2004-04-20 03:52:37 EDT
Still getting some avc: denied messages but I can now start and get
connected when enforcing=1.  Whetever the problem was, it is now fixed.

policy=1.11.2-9

closing

Note You need to log in before you can comment on or make changes to this bug.