Bug 188450 - httpd can't connect to tomcat5
Summary: httpd can't connect to tomcat5
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 5
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
Assignee: James Antill
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-04-10 06:29 UTC by santiago angel
Modified: 2007-11-30 22:11 UTC (History)
2 users (show)

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-03-28 20:02:42 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description santiago angel 2006-04-10 06:29:18 UTC 
Description of problem:
httpd can't connect to tomcat5

How reproducible:
if httpd and tomcat5 are configured with mod_proxy_ajp
selinux policies don't allow it
and audit displays an error:

audit(1144648502.551:279): avc:  denied  { name_connect } for  pid=6157
comm="httpd" dest=8009 scontext=user_u:system_r:httpd_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

basicly httpd can communicate with port 8009 that tomcat5 with ajp use

Steps to Reproduce:
1.configure httpd with mod_proxy_ajp
2.view http://localhost/tomcat
3.in terminal lock the dmesg command output
  
Actual results:
failed 

Expected results:
httpd and tomcat5 communication
Comment 2 Daniel Walsh 2006-05-09 19:49:24 UTC 
semanage ports -a -t http_port_t -p tcp 8009

Should fix it.

Should this be a standard http_port_t?
Comment 3 santiago angel 2006-05-09 23:07:53 UTC 
i used this to fix it:
setsebool -P httpd_can_network_connect true


but I suggest to include a rule specifies for when apache httpd with tomcat5 and
mod_jk or mod_proxy_ajp is used altogether
Comment 4 Daniel Walsh 2006-05-10 19:38:27 UTC 
Fixed in  2.2.38-2
Comment 5 Daniel Walsh 2007-03-28 20:02:42 UTC 
Closing bugs
Note You need to log in before you can comment on or make changes to this bug.