This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 509707 - setroubleshoot: SELinux is preventing httpd (httpd_t) "name_bind" transproxy_port_t.
setroubleshoot: SELinux is preventing httpd (httpd_t) "name_bind" transp...
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:483d4f7551f...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-07-05 08:09 EDT by Nicolas Mailhot
Modified: 2009-10-20 17:52 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-10-20 17:52:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Nicolas Mailhot 2009-07-05 08:09:58 EDT
The following was filed automatically by setroubleshoot:

Résumé:

SELinux is preventing httpd (httpd_t) "name_bind" transproxy_port_t.

Description détaillée:

SELinux denied access requested by httpd. It is not expected that this access is
required by httpd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Autoriser l'accès:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Informations complémentaires:

Contexte source               unconfined_u:system_r:httpd_t:s0
Contexte cible                system_u:object_r:transproxy_port_t:s0
Objets du contexte            None [ tcp_socket ]
source                        httpd
Chemin de la source           /usr/sbin/httpd
Port                          8081
Hôte                         (removed)
Paquetages RPM source         httpd-2.2.11-9
Paquetages RPM cible          
Politique RPM                 selinux-policy-3.6.20-2.fc12
Selinux activé               True
Type de politique             targeted
MLS activé                   True
Mode strict                   Enforcing
Nom du plugin                 catchall
Nom de l'hôte                (removed)
Plateforme                    Linux (removed) 2.6.31-0.42.rc2.fc12.x86_64 #1 SMP
                              Sat Jul 4 20:49:29 EDT 2009 x86_64 x86_64
Compteur d'alertes            3
Première alerte              dim. 05 juil. 2009 13:57:14 CEST
Dernière alerte              dim. 05 juil. 2009 14:02:41 CEST
ID local                      fe603b18-2d4c-4239-b781-3d4f78fd934a
Numéros des lignes           

Messages d'audit bruts        

node=(removed) type=AVC msg=audit(1246795361.888:31248): avc:  denied  { name_bind } for  pid=3668 comm="httpd" src=8081 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:transproxy_port_t:s0 tclass=tcp_socket

node=(removed) type=SYSCALL msg=audit(1246795361.888:31248): arch=c000003e syscall=49 success=yes exit=0 a0=6 a1=7fb23e213bb0 a2=10 a3=7fff5e8db54c items=0 ppid=3667 pid=3668 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)


audit2allow suggests:

#============= httpd_t ==============
allow httpd_t transproxy_port_t:tcp_socket name_bind;
Comment 1 Nicolas Mailhot 2009-07-05 08:11:01 EDT
Apache can be used as proxy via mod_proxy so this is a legitimate bind
Comment 2 Daniel Walsh 2009-07-05 22:00:05 EDT
Would you consider this should be allowed by httpd_can_network_relay?  Or is this just a random port that you can proxy through httpd?

Note You need to log in before you can comment on or make changes to this bug.