From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6 Description of problem: When I changed the httpd.conf configuration to listen on a port other than 80 or 8080 (for example I used 750) the service failed to start. I confirmed the syntax of the httpd.conf file was correct using apachectl... also it ran fine when starting the program from the command line. I was able to fall back to the fedora core 2 init.d/httpd script and it worked successfully. Thanks. Version-Release number of selected component (if applicable): httpd-2.0.54-10.1 How reproducible: Always Steps to Reproduce: 1.change port number in the /etc/httpd/conf/httpd.conf file to something other than 80 or 8080. 2.Restart the service. It should fail to load. 3. Actual Results: The service failed to start. Expected Results: Program should have loaded listening on the other port. Additional info:
This is not a bug. Fedora Core 4 is configured to use SELinux targeted policy by default which protects Apache from connecting to other ports. You need to enable the SELinux Apache boolean, httpd_can_network_connec=1 in /etc/selinux/targeted/booleans file and reboot the system or use system-config-securitylevel tool to set this. For more information about SELinux see the following documents which applies to FC4 also. http://fedora.redhat.com/docs/selinux-faq-fc3/ http://fedora.redhat.com/docs/selinux-apache-fc3/ If you require further help on this, feel free to post to the fedora-selinux list http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Instead of rebooting, do this: setsebool httpd_can_network_connec 1 That changes the boolean in runtime. Also change the Boolean in /etc/selinux/targeted/booleans, as from Comment #1, so that the change is picked up on next boot. Just in case, it's worth confirming that your initscript has the correct SELinux label: ls -Z /etc/init.d/httpd -rwxr-xr-x root root system_u:object_r:initrc_exec_t /etc/init.d/httpd This is on FC3. The key is the type of initrc_exec_t. If the type is different, you can run 'restorecon /etc/init.d/httpd'.
Oops, Rahul and I both chopped a 't' off the Boolean: setsebool httpd_can_network_connect 1
setsebool -P httpd_can_network_connect 1 will make it permanant, ie change the running machine and add an entry to the booleans file.