176806 – httpd won't start

Bug 176806 - httpd won't start

Summary: httpd won't start

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	4
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-01-03 03:03 UTC by Jamie Zawinski
Modified:	2007-11-30 22:11 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2006-01-03 15:50:50 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jamie Zawinski 2006-01-03 03:03:24 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/416.12 (KHTML, like Gecko) Safari/416.13

Description of problem:
httpd won't start on my FC4 system when SElinux is turned on.


Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.27.1-2.16

How reproducible:
Always

Steps to Reproduce:
/etc/rc.d/init.d/httpd start

Actual Results:  Starting httpd: FAILED
Exit 1

type=AVC msg=audit(1136257517.040:676): avc:  denied  { name_bind } for  pid=9792 comm="httpd" 
src=8001 scontext=root:system_r:httpd_t tcontext=system_u:object_r:port_t tclass=tcp_socket
type=SYSCALL msg=audit(1136257517.040:676): arch=40000003 syscall=102 success=no exit=-13 
a0=2 a1=bfa85980 a2=fcb7d8 a3=9d7f630 items=0 pid=9792 auid=500 uid=0 gid=0 euid=0 
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="httpd" exe="/usr/sbin/httpd"
type=SOCKADDR msg=audit(1136257517.040:676): 
saddr=0A001F41000000000000000000000000000000000000000000000000
type=SOCKETCALL msg=audit(1136257517.040:676): nargs=3 a0=4 a1=9d7f644 a2=1c


Expected Results:  A running httpd.

Additional info:

Last month, I was in the situation that httpd would not start at boot-time, but I *was* able to start it 
manually after doing "chcon root:object_r:etc_t /etc/rc.d/init.d/httpd".  That trick no longer works: now 
I can't get httpd to start at all without doing "setenforce 0".  (I run httpd on both ports 80 and 8001).

I imagine this is just some file permission problem, but if so,

  1:  the permissions are installed incorrectly by default;
  2:  I have done a great deal of googling and still don't see any obvious solutions.

Please advise...


Versions:
selinux-policy-targeted-1.27.1-2.16
libselinux-1.23.10-2
httpd-2.0.54-10.2
kernel-smp-2.6.14-1.1637_FC4


% ls -lZF /usr/sbin/*http* /etc/rc.d/init.d/*http*
-rwxr-xr-x  root     root     system_u:object_r:initrc_exec_t  /etc/rc.d/init.d/httpd*
-rwxr-xr-x  root     root     system_u:object_r:httpd_exec_t   /usr/sbin/httpd*
-rwxr-xr-x  root     root     system_u:object_r:httpd_exec_t   /usr/sbin/httpd.worker*

Comment 1 Daniel Walsh 2006-01-03 15:50:50 UTC

You can turn off the httpd transition by executing.

setsebool -P httpd_disable_trans=0

A second option would be to install policy sources
selinux-policy-targeted-sources and add
portcon tcp 8001  system_u:object_r:http_port_t
to domains/misc/local.te
and rebuild policy.

A third option would be to have you httpd listen on 8008 which is already in policy.

Finally in Rawhide FC5 you will be able to add ports to policy via the command
line tool semanage.

Note You need to log in before you can comment on or make changes to this bug.