I am using the ATrpms mythweb package from the mythtv suite. If you are not familiar with it, mythweb is basically a web browser that allows you to remotely control many aspects of mythtv over the web. Mythtweb needs to connect to mythbackend (default on port 6543) and also somewhere needs to run the command 'hostname' Both of these actions are creating selinux errors as follows: SELinux is preventing the http daemon from connecting to network port 6543 Detailed Description SELinux has denied the http daemon from connecting to 6543. An httpd script is trying to do a network connect to a remote port. If you did not setup httpd to network connections, this could signal a intrusion attempt. avc: denied { name_connect } for comm=httpd dest=6543 egid=48 euid=48 exe=/usr/sbin/httpd exit=-13 fsgid=48 fsuid=48 gid=48 items=0 pid=2757 scontext=system_u:system_r:httpd_t:s0 sgid=48 subj=system_u:system_r:httpd_t:s0 suid=48 tclass=tcp_socket tcontext=system_u:object_r:port_t:s0 tty=(none) uid=48 Summary SELinux is preventing the sh from using potentially mislabeled files /bin/hostname (hostname_exec_t). Detailed Description SELinux has denied the sh access to potentially mislabeled files /bin/hostname. This means that SELinux will not allow httpd to use these files. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access. avc: denied { getattr } for comm=sh dev=sda7 egid=48 euid=48 exe=/bin/bash exit=-13 fsgid=48 fsuid=48 gid=48 items=0 path=/bin/hostname pid=5186 scontext=system_u:system_r:httpd_t:s0 sgid=48 subj=system_u:system_r:httpd_t:s0 suid=48 tclass=file tcontext=system_u:object_r:hostname_exec_t:s0 tty=(none) uid=48 Is this something that you can fix in the targeted policy or is it something that the mythtv packager should fix? (I am cc'ing Axel here)
You can turn on the boolean setsebool -P httpd_can_network_connect=1 To allow apache to connect to ports. You can update policy for hostname by executing the following. # audit2allow -M mypol -i /var/log/audit/audit.log # semodule -i mypol.pp I will fix policy for hostname in selinux-policy-3.0.8-73.fc8