From Bugzilla Helper: User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/416.12 (KHTML, like Gecko) Safari/416.13 Description of problem: httpd won't start on my FC4 system when SElinux is turned on. Version-Release number of selected component (if applicable): selinux-policy-targeted-1.27.1-2.16 How reproducible: Always Steps to Reproduce: /etc/rc.d/init.d/httpd start Actual Results: Starting httpd: FAILED Exit 1 type=AVC msg=audit(1136257517.040:676): avc: denied { name_bind } for pid=9792 comm="httpd" src=8001 scontext=root:system_r:httpd_t tcontext=system_u:object_r:port_t tclass=tcp_socket type=SYSCALL msg=audit(1136257517.040:676): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfa85980 a2=fcb7d8 a3=9d7f630 items=0 pid=9792 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="httpd" exe="/usr/sbin/httpd" type=SOCKADDR msg=audit(1136257517.040:676): saddr=0A001F41000000000000000000000000000000000000000000000000 type=SOCKETCALL msg=audit(1136257517.040:676): nargs=3 a0=4 a1=9d7f644 a2=1c Expected Results: A running httpd. Additional info: Last month, I was in the situation that httpd would not start at boot-time, but I *was* able to start it manually after doing "chcon root:object_r:etc_t /etc/rc.d/init.d/httpd". That trick no longer works: now I can't get httpd to start at all without doing "setenforce 0". (I run httpd on both ports 80 and 8001). I imagine this is just some file permission problem, but if so, 1: the permissions are installed incorrectly by default; 2: I have done a great deal of googling and still don't see any obvious solutions. Please advise... Versions: selinux-policy-targeted-1.27.1-2.16 libselinux-1.23.10-2 httpd-2.0.54-10.2 kernel-smp-2.6.14-1.1637_FC4 % ls -lZF /usr/sbin/*http* /etc/rc.d/init.d/*http* -rwxr-xr-x root root system_u:object_r:initrc_exec_t /etc/rc.d/init.d/httpd* -rwxr-xr-x root root system_u:object_r:httpd_exec_t /usr/sbin/httpd* -rwxr-xr-x root root system_u:object_r:httpd_exec_t /usr/sbin/httpd.worker*
You can turn off the httpd transition by executing. setsebool -P httpd_disable_trans=0 A second option would be to install policy sources selinux-policy-targeted-sources and add portcon tcp 8001 system_u:object_r:http_port_t to domains/misc/local.te and rebuild policy. A third option would be to have you httpd listen on 8008 which is already in policy. Finally in Rawhide FC5 you will be able to add ports to policy via the command line tool semanage.