Bug 509707 - setroubleshoot: SELinux is preventing httpd (httpd_t) "name_bind" transproxy_port_t.
Summary: setroubleshoot: SELinux is preventing httpd (httpd_t) "name_bind" transp...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:483d4f7551f...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-07-05 12:09 UTC by Nicolas Mailhot
Modified: 2009-10-20 21:52 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2009-10-20 21:52:21 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Nicolas Mailhot 2009-07-05 12:09:58 UTC 
The following was filed automatically by setroubleshoot:

Résumé:

SELinux is preventing httpd (httpd_t) "name_bind" transproxy_port_t.

Description détaillée:

SELinux denied access requested by httpd. It is not expected that this access is
required by httpd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Autoriser l'accès:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Informations complémentaires:

Contexte source               unconfined_u:system_r:httpd_t:s0
Contexte cible                system_u:object_r:transproxy_port_t:s0
Objets du contexte            None [ tcp_socket ]
source                        httpd
Chemin de la source           /usr/sbin/httpd
Port                          8081
Hôte                         (removed)
Paquetages RPM source         httpd-2.2.11-9
Paquetages RPM cible          
Politique RPM                 selinux-policy-3.6.20-2.fc12
Selinux activé               True
Type de politique             targeted
MLS activé                   True
Mode strict                   Enforcing
Nom du plugin                 catchall
Nom de l'hôte                (removed)
Plateforme                    Linux (removed) 2.6.31-0.42.rc2.fc12.x86_64 #1 SMP
                              Sat Jul 4 20:49:29 EDT 2009 x86_64 x86_64
Compteur d'alertes            3
Première alerte              dim. 05 juil. 2009 13:57:14 CEST
Dernière alerte              dim. 05 juil. 2009 14:02:41 CEST
ID local                      fe603b18-2d4c-4239-b781-3d4f78fd934a
Numéros des lignes           

Messages d'audit bruts        

node=(removed) type=AVC msg=audit(1246795361.888:31248): avc:  denied  { name_bind } for  pid=3668 comm="httpd" src=8081 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:transproxy_port_t:s0 tclass=tcp_socket

node=(removed) type=SYSCALL msg=audit(1246795361.888:31248): arch=c000003e syscall=49 success=yes exit=0 a0=6 a1=7fb23e213bb0 a2=10 a3=7fff5e8db54c items=0 ppid=3667 pid=3668 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)


audit2allow suggests:

#============= httpd_t ==============
allow httpd_t transproxy_port_t:tcp_socket name_bind;
Comment 1 Nicolas Mailhot 2009-07-05 12:11:01 UTC 
Apache can be used as proxy via mod_proxy so this is a legitimate bind
Comment 2 Daniel Walsh 2009-07-06 02:00:05 UTC 
Would you consider this should be allowed by httpd_can_network_relay?  Or is this just a random port that you can proxy through httpd?
Note You need to log in before you can comment on or make changes to this bug.