Bug 164992 – Mod_proxy does not work with SElinux default policy

Bug 164992 - Mod_proxy does not work with SElinux default policy

Summary:	Mod_proxy does not work with SElinux default policy

Status:	CLOSED NOTABUG

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	httpd (Show other bugs)
Sub Component:
Version:	4
Hardware:	i386 Linux

Priority	medium Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Joe Orton
QA Contact:
Docs Contact:

URL:
Whiteboard:
Keywords:	SELinux

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2005-08-03 08:02 EDT by Marc Jadoul
Modified:	2007-11-30 17:11 EST (History)
CC List:	0 users

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2005-08-03 08:09:05 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Marc Jadoul 2005-08-03 08:02:27 EDT

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050720 Fedora/1.0.6-1.1.fc4 Firefox/1.0.6

Description of problem:
Bad: mod_proxy fail if selinux is enabled

[Wed Aug 03 13:52:12 2005] [debug] proxy_http.c(67): proxy: HTTP: canonicalising URL //webmail.XXX.be/exchange/
[Wed Aug 03 13:52:12 2005] [debug] mod_proxy.c(419): Trying to run scheme_handler
[Wed Aug 03 13:52:12 2005] [debug] proxy_http.c(1062): proxy: HTTP: serving URL https://webmail.XXX.be/exchange/
[Wed Aug 03 13:52:12 2005] [debug] proxy_http.c(186): proxy: HTTP connecting https://webmail.XXX.be/exchange/ to webmail.XXX.be:443
[Wed Aug 03 13:52:12 2005] [debug] proxy_util.c(1139): proxy: HTTP: fam 2 socket created to
connect to webmail.XXX.be
Bad: [Wed Aug 03 13:52:12 2005] [error] (13)Permission denied: proxy: HTTP: attempt to connect to 123.123.123.123:443 (webmail.XXX.be) failed


Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.25.3-9 httpd-2.0.54-10.1

How reproducible:
Always

Steps to Reproduce:
1.setenforce 1
2.access your http server configured ro reverse proxying
3.fail with message: BAD gateway
4. setenforce 0
5. it work.
  

Expected Results:  I would expect the default policy to allow proxying and Message is not explicit and I had to search a long time to understand....

Additional info:

Comment 1 Joe Orton 2005-08-03 08:09:05 EDT

This is due to the SELinux policy, which prevents httpd processes from
making outgoing network connections by default.  The
httpd_can_network_connect boolean can be used to change this
behaviour; to allow connections:

  setsebool httpd_can_network_connect=1

passing the -P argument to set the boolean permanently (across
reboots).

For further information on SELinux/Apache integration in Fedora Core,
please see: http://fedora.redhat.com/docs/selinux-apache-fc3/

For general information on SELinux in Fedora Core, please see:
http://fedora.redhat.com/docs/selinux-faq-fc3/

Note You need to log in before you can comment on or make changes to this bug.