From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.10) Gecko/20050720 Fedora/1.0.6-1.1.fc4 Firefox/1.0.6 Description of problem: With the targeted SELinux policy enabled and the browser configured to use Privoxy as its HTTP proxy, accessing a Web server which runs on a nonstandard port like 9005 will fail with a "503 - Connect Failed" error from Privoxy. Version-Release number of selected component (if applicable): selinux-policy-targeted-1.25.4-10 How reproducible: Always Steps to Reproduce: 1. Enabled the targeted SELinux policy. 2. Start Privoxy and configure your browser to use localhost:8118 as its HTTP proxy. 3. Try to access a Web server which does not run on port 80 or 443, like http://sharenet.redhat.de:9800/ 4. Disable SELinux protection for Privoxy, restart Privoxy, and you can access the Web server Actual Results: 503 - Connect Failed Expected Results: Privoxy should be able to connect to the server. Additional info: While ports other than 80 and 443 are unusual for HTTP, they are commonly used by Web developers, and for non-public Web sites. They should not be blocked by the SELinux policy.
I think you are pointing out two problems with this bug report. The easiest to fix is allowing privoxy/httpd to connect to remote ports. setsebool -P httpd_can_network_connect=1 Allows http to connect to any port. Now if you wanted to run a webserver that listens on a different port, the only solution in FC4/RHEL4 is to customize policy. We are changing this in FC5/RHEL5 allowing administratiors to label addtional ports. So you could specify a specific port as an httpd_port_t and allow httpd to listen on it.
Activating httpd_can_network_connect does not work with privoxy-3.0.3-7 and selinux-policy-targeted-1.27.1-2.14 - I still get "503 - Connect Failed" when I try to connect to a server running on port 9800. Note that this server runs on a different machine. This ticket is not about how to get that server running, only about accessing it via Privoxy. I modified the policy and added "allow privoxy_t port_t:tcp_socket name_connect;" in local.te - that worked.
For the record, the following command can be used with FC5 to allow Privoxy to connect to port 9800: semanage port -a -t http_port_t -p tcp 9800