Bug 159966 - Squid fails to start listening on port 80
Squid fails to start listening on port 80
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Depends On:
Blocks: 156322
  Show dependency treegraph
Reported: 2005-06-09 15:33 EDT by Matthew Booth
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version: RHBA-2005-645
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-10-05 12:34:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Matthew Booth 2005-06-09 15:33:55 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.7.8) Gecko/20050512 Red Hat/1.0.4-1.4.1 Firefox/1.0.4

Description of problem:
I have squid configured as an http accellerator listening on port 80. When selinux is enabled it does not start. The error message in cache.log is:

2005/06/09 20:22:41| commBind: Cannot bind socket FD 13 to x.x.x.x:80: (13) Permission denied
2005/06/09 20:22:41| commBind: Cannot bind socket FD 13 to x.x.x.y:80: (13) Permission denied

When selinux is in permissive mode it starts correctly. The only logging in syslog is:

Jun  9 11:34:06 hydra1 kernel: audit(1118313246.485:0): avc:  denied  { getattr
} for  pid=3187 comm=squid path=/boot dev=sda1 ino=2 scontext=root:system_r:squid_t tcontext=system_u:object_r:boot_t tclass=dir

This is displayed once per child process. It does not appear to be the cause of the failure.

Russell Coker said:
I guess that you changed the port number as well as the IP address.
squid_t is permitted to bind to ports of type http_cache_port_t, that
means the following ports (from the net_contexts file):
portcon tcp 3128  system_u:object_r:http_cache_port_t
portcon tcp 8080  system_u:object_r:http_cache_port_t
portcon udp 3130  system_u:object_r:http_cache_port_t
portcon tcp 8118  system_u:object_r:http_cache_port_t

We can solve that with the following policy.

bool squid_use_http_port false;
if (squid_use_http_port) {
allow squid_t http_port_t:tcp_socket name_bind;

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-2.88 squid-2.5.STABLE6-3.4E.5

How reproducible:

Steps to Reproduce:
1. Install Squid
2. Enable the targetted policy
3. Change http_port to 80 in /etc/squid/squid.conf
4. service squid start

Actual Results:  Squid fails to bind to its network ports

Expected Results:  Squid starts

Additional info:
Comment 1 Daniel Walsh 2005-07-21 14:08:24 EDT
Fixed in selinux-policy-targeted-1.17.30-2.100
Comment 2 Red Hat Bugzilla 2005-10-05 12:34:50 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.