Red Hat Bugzilla – Bug 162202
httpd can bind to any port in enforce mode
Last modified: 2007-11-30 17:07:18 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041215 Firefox/1.0 Red Hat/1.0-12.EL4
Description of problem:
SELinux does not block the httpd server when we try to start on a non-http port, such as port 22. The web server binds to the port normally, which should not be the case.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Modify the /etc/httpd/conf/httpd.conf file to have the web server listen on port 22:
2. Stop the ssh server and restart apache:
service sshd stop
service httpd restart
3. httpd now listens to port 22, even though selinux should have blocked it.
Actual Results: The /var/log/messages file does not include any denial message for the bind operation.
Expected Results: The httpd start operation should have failed with a selinux denial message in the log file.
solves the problem, so there might be something in the ypbind policy that opens up port access.
Yes this is allow_ypbind causing this, although port 22 should have been
prevented. Basically ypbind causes all network daemons to need access to a port
returned by portmapper. We can not predetermine this port so we need to allow
access to all non "reserved_ports" In the case of SELinux we define this as all
ports with defined selinux policy less than 1024. So the ssh_port should have
been covered. I will fix this the next time we release policy for RHEL.
Actually looking back at selinux policy for RHEL4, this port was not defined, so
I can't easily fix this problem, until the next release. FC4 and RHEL5 will
have this fix.