Bug 167810 – SELinux blocks Privoxy Connections to Nonstandard Ports

Bug 167810 - SELinux blocks Privoxy Connections to Nonstandard Ports

Summary:	SELinux blocks Privoxy Connections to Nonstandard Ports

Status:	CLOSED NOTABUG

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted (Show other bugs)
Sub Component:
Version:	4
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Karsten Hopp
QA Contact:
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2005-09-08 09:18 EDT by Carsten Clasohm
Modified:	2007-11-30 17:11 EST (History)
CC List:	0 users

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2005-11-30 10:04:41 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Carsten Clasohm 2005-09-08 09:18:38 EDT

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.10) Gecko/20050720 Fedora/1.0.6-1.1.fc4 Firefox/1.0.6

Description of problem:
With the targeted SELinux policy enabled and the browser configured to use Privoxy as its HTTP proxy, accessing a Web server which runs on a nonstandard port like 9005 will fail with a "503 - Connect Failed" error from Privoxy.


Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.25.4-10

How reproducible:
Always

Steps to Reproduce:
1. Enabled the targeted SELinux policy.

2. Start Privoxy and configure your browser to use localhost:8118 as its HTTP proxy.

3. Try to access a Web server which does not run on port 80 or 443, like http://sharenet.redhat.de:9800/

4. Disable SELinux protection for Privoxy, restart Privoxy, and you can access the Web server


Actual Results:  503 - Connect Failed

Expected Results:  Privoxy should be able to connect to the server.

Additional info:

While ports other than 80 and 443 are unusual for HTTP, they are commonly used by Web developers, and for non-public Web sites. They should not be blocked by the SELinux policy.

Comment 1 Daniel Walsh 2005-11-30 10:04:41 EST

I think you are pointing out two problems with this bug report.

The easiest to fix is allowing privoxy/httpd to connect to remote ports.

setsebool -P httpd_can_network_connect=1

Allows http to connect to any port.

Now if you wanted to run a webserver that listens on a different port, the only
solution in FC4/RHEL4 is to customize policy.  We are changing this in FC5/RHEL5
allowing administratiors to label addtional ports.  So you could specify a
specific port as an httpd_port_t and allow httpd to listen on it.

Comment 2 Carsten Clasohm 2005-12-05 08:29:12 EST

Activating httpd_can_network_connect does not work with privoxy-3.0.3-7 and
selinux-policy-targeted-1.27.1-2.14 - I still get "503 - Connect Failed" when I
try to connect to a server running on port 9800. Note that this server runs on a
different machine. This ticket is not about how to get that server running, only
about accessing it via Privoxy.

I modified the policy and added "allow privoxy_t port_t:tcp_socket
name_connect;" in local.te - that worked.

Comment 3 Carsten Clasohm 2006-05-09 04:41:39 EDT

For the record, the following command can be used with FC5 to allow Privoxy to
connect to port 9800:

semanage port -a -t http_port_t -p tcp 9800

Note You need to log in before you can comment on or make changes to this bug.