From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041215 Firefox/1.0 Red Hat/1.0-12.EL4 Description of problem: SELinux does not block the httpd server when we try to start on a non-http port, such as port 22. The web server binds to the port normally, which should not be the case. Version-Release number of selected component (if applicable): selinux-policy-targeted-1.17.30-2.88 How reproducible: Always Steps to Reproduce: 1. Modify the /etc/httpd/conf/httpd.conf file to have the web server listen on port 22: Listen 22 2. Stop the ssh server and restart apache: service sshd stop service httpd restart 3. httpd now listens to port 22, even though selinux should have blocked it. Actual Results: The /var/log/messages file does not include any denial message for the bind operation. Expected Results: The httpd start operation should have failed with a selinux denial message in the log file. Additional info: setsebool allow_ypbind=false solves the problem, so there might be something in the ypbind policy that opens up port access.
Yes this is allow_ypbind causing this, although port 22 should have been prevented. Basically ypbind causes all network daemons to need access to a port returned by portmapper. We can not predetermine this port so we need to allow access to all non "reserved_ports" In the case of SELinux we define this as all ports with defined selinux policy less than 1024. So the ssh_port should have been covered. I will fix this the next time we release policy for RHEL.
Actually looking back at selinux policy for RHEL4, this port was not defined, so I can't easily fix this problem, until the next release. FC4 and RHEL5 will have this fix.