Bug 176806 - httpd won't start
httpd won't start
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
4
i386 Linux
medium Severity high
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-01-02 22:03 EST by Jamie Zawinski
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-01-03 10:50:50 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jamie Zawinski 2006-01-02 22:03:24 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/416.12 (KHTML, like Gecko) Safari/416.13

Description of problem:
httpd won't start on my FC4 system when SElinux is turned on.


Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.27.1-2.16

How reproducible:
Always

Steps to Reproduce:
/etc/rc.d/init.d/httpd start

Actual Results:  Starting httpd: FAILED
Exit 1

type=AVC msg=audit(1136257517.040:676): avc:  denied  { name_bind } for  pid=9792 comm="httpd" 
src=8001 scontext=root:system_r:httpd_t tcontext=system_u:object_r:port_t tclass=tcp_socket
type=SYSCALL msg=audit(1136257517.040:676): arch=40000003 syscall=102 success=no exit=-13 
a0=2 a1=bfa85980 a2=fcb7d8 a3=9d7f630 items=0 pid=9792 auid=500 uid=0 gid=0 euid=0 
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="httpd" exe="/usr/sbin/httpd"
type=SOCKADDR msg=audit(1136257517.040:676): 
saddr=0A001F41000000000000000000000000000000000000000000000000
type=SOCKETCALL msg=audit(1136257517.040:676): nargs=3 a0=4 a1=9d7f644 a2=1c


Expected Results:  A running httpd.

Additional info:

Last month, I was in the situation that httpd would not start at boot-time, but I *was* able to start it 
manually after doing "chcon root:object_r:etc_t /etc/rc.d/init.d/httpd".  That trick no longer works: now 
I can't get httpd to start at all without doing "setenforce 0".  (I run httpd on both ports 80 and 8001).

I imagine this is just some file permission problem, but if so,

  1:  the permissions are installed incorrectly by default;
  2:  I have done a great deal of googling and still don't see any obvious solutions.

Please advise...


Versions:
selinux-policy-targeted-1.27.1-2.16
libselinux-1.23.10-2
httpd-2.0.54-10.2
kernel-smp-2.6.14-1.1637_FC4


% ls -lZF /usr/sbin/*http* /etc/rc.d/init.d/*http*
-rwxr-xr-x  root     root     system_u:object_r:initrc_exec_t  /etc/rc.d/init.d/httpd*
-rwxr-xr-x  root     root     system_u:object_r:httpd_exec_t   /usr/sbin/httpd*
-rwxr-xr-x  root     root     system_u:object_r:httpd_exec_t   /usr/sbin/httpd.worker*
Comment 1 Daniel Walsh 2006-01-03 10:50:50 EST
You can turn off the httpd transition by executing.

setsebool -P httpd_disable_trans=0

A second option would be to install policy sources
selinux-policy-targeted-sources and add
portcon tcp 8001  system_u:object_r:http_port_t
to domains/misc/local.te
and rebuild policy.

A third option would be to have you httpd listen on 8008 which is already in policy.

Finally in Rawhide FC5 you will be able to add ports to policy via the command
line tool semanage.

Note You need to log in before you can comment on or make changes to this bug.