Bug 167587 - When httpd is configured to listen on a port other than 80 or 8080 the service failes to start.
Summary: When httpd is configured to listen on a port other than 80 or 8080 the servic...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 4
Hardware: i386
OS: Linux
medium
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-09-05 23:36 UTC by Dave
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2005-09-05 23:52:45 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Dave 2005-09-05 23:36:01 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6

Description of problem:
When I changed the httpd.conf configuration to listen on a port other than 80 or 8080  (for example I used 750) the service failed to start.  I confirmed the syntax of the httpd.conf file was correct using apachectl... also it ran fine when starting the program from the command line.  I was able to fall back to the fedora core 2 init.d/httpd script and it worked successfully.  Thanks.

Version-Release number of selected component (if applicable):
httpd-2.0.54-10.1

How reproducible:
Always

Steps to Reproduce:
1.change port number in the /etc/httpd/conf/httpd.conf file to something other than 80 or 8080.
2.Restart the service.  It should fail to load.
3.
  

Actual Results:  The service failed to start.

Expected Results:  Program should have loaded listening on the other port.

Additional info:

Comment 1 Rahul Sundaram 2005-09-05 23:52:45 UTC

This is not a bug.

Fedora Core 4 is configured to use SELinux targeted policy by default which
protects Apache from connecting to other ports.  You need to enable the SELinux
Apache boolean, httpd_can_network_connec=1  in /etc/selinux/targeted/booleans
file and reboot the system or use system-config-securitylevel tool to set this. 

For more information about SELinux see the following documents which applies to
FC4 also.

http://fedora.redhat.com/docs/selinux-faq-fc3/
http://fedora.redhat.com/docs/selinux-apache-fc3/

If you require further help on this, feel free to post to the fedora-selinux list

http://www.redhat.com/mailman/listinfo/fedora-selinux-list

Comment 2 Karsten Wade 2005-09-06 00:04:33 UTC
Instead of rebooting, do this:

setsebool httpd_can_network_connec 1

That changes the boolean in runtime.

Also change the Boolean in /etc/selinux/targeted/booleans, as from Comment #1,
so that the change is picked up on next boot.

Just in case, it's worth confirming that your initscript has the correct SELinux
label:

ls -Z /etc/init.d/httpd
-rwxr-xr-x  root     root     system_u:object_r:initrc_exec_t  /etc/init.d/httpd

This is on FC3.  The key is the type of initrc_exec_t.  If the type is
different, you can run 'restorecon /etc/init.d/httpd'.

Comment 3 Karsten Wade 2005-09-06 00:06:54 UTC
Oops, Rahul and I both chopped a 't' off the Boolean:

setsebool httpd_can_network_connect 1

Comment 4 Daniel Walsh 2005-09-06 21:01:30 UTC
setsebool -P httpd_can_network_connect 1

will make it permanant, ie change the running machine and add an entry to the
booleans file.


Note You need to log in before you can comment on or make changes to this bug.