Bug 509729 - setroubleshoot: SELinux is preventing the http daemon from connecting to network port 993
setroubleshoot: SELinux is preventing the http daemon from connecting to...
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2009-07-05 11:14 EDT by Nicolas Mailhot
Modified: 2009-07-05 21:39 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-07-05 21:39:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Nicolas Mailhot 2009-07-05 11:14:18 EDT
The following was filed automatically by setroubleshoot:


SELinux is preventing the http daemon from connecting to network port 993

Description détaillée:

SELinux has denied the http daemon from connecting to 993. An httpd script is
trying to do a network connect to a remote port. If you did not setup httpd to
network connections, this could signal a intrusion attempt.

Autoriser l'accès:

If you want httpd to connect to network ports you need to turn on the
httpd_can_network_network_connect boolean: "setsebool -P

Commande de correction:

setsebool -P httpd_can_network_connect=1

Informations complémentaires:

Contexte source               unconfined_u:system_r:httpd_t:s0
Contexte cible                system_u:object_r:pop_port_t:s0
Objets du contexte            None [ tcp_socket ]
source                        httpd
Chemin de la source           /usr/sbin/httpd
Port                          993
Hôte                         (removed)
Paquetages RPM source         httpd-2.2.11-9
Paquetages RPM cible          
Politique RPM                 selinux-policy-3.6.20-2.fc12
Selinux activé               True
Type de politique             targeted
MLS activé                   True
Mode strict                   Enforcing
Nom du plugin                 httpd_can_network_connect
Nom de l'hôte                (removed)
Plateforme                    Linux (removed) 2.6.31-0.42.rc2.fc12.x86_64 #1 SMP
                              Sat Jul 4 20:49:29 EDT 2009 x86_64 x86_64
Compteur d'alertes            1
Première alerte              dim. 05 juil. 2009 17:03:55 CEST
Dernière alerte              dim. 05 juil. 2009 17:03:55 CEST
ID local                      4183a9a7-8559-427b-87ea-a5190d02b335
Numéros des lignes           

Messages d'audit bruts        

node=(removed) type=AVC msg=audit(1246806235.669:46): avc:  denied  { name_connect } for  pid=6126 comm="httpd" dest=993 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:pop_port_t:s0 tclass=tcp_socket

node=(removed) type=SYSCALL msg=audit(1246806235.669:46): arch=c000003e syscall=42 success=yes exit=0 a0=f a1=7f6a7dc7a158 a2=10 a3=40 items=0 ppid=4304 pid=6126 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

audit2allow suggests:

#============= httpd_t ==============
allow httpd_t pop_port_t:tcp_socket name_connect;
Comment 1 Nicolas Mailhot 2009-07-05 11:15:28 EDT
squirrelmail should be allowed to connect to mail-related network ports by default
Comment 2 Daniel Walsh 2009-07-05 21:39:54 EDT
That would allow all apache plugins and apps to connect to mail ports by default making every httpd service, if corrupted into a spam bot.  This will not be changed.

Note You need to log in before you can comment on or make changes to this bug.