This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 546785 - SELinux is preventing /usr/sbin/httpd from connecting to port 25151.
SELinux is preventing /usr/sbin/httpd from connecting to port 25151.
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: cobbler (Show other bugs)
12
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: John Eckersberg
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:8f864c28b32...
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-12-11 17:54 EST by Steve Traylen
Modified: 2013-05-06 16:10 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-03 20:47:20 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Steve Traylen 2009-12-11 17:54:11 EST

Summary:

After installing cobbler 

# rpm -qf /usr/bin/cobblerd
cobbler-2.0.0-1.fc12.noarch

and running it creates a service.

tcp        0      0 127.0.0.1:25151             0.0.0.0:*                   LISTEN      1882/python

also contained in /etc/httpd/conf.d/cobbler.conf is
ProxyPass /cobbler_api http://localhost:25151/
ProxyPassReverse /cobbler_api http://localhost:25151/

# cobbler check
httpd does not appear to be running and proxying cobbler

due the selinux error below.

SELinux is preventing /usr/sbin/httpd from connecting to port 25151.

Detailed Description:

[httpd has a permissive type (httpd_t). This access was not denied.]

SELinux has denied httpd from connecting to a network port 25151 which does not
have an SELinux type associated with it. If httpd should be allowed to connect
on 25151, use the semanage command to assign 25151 to a port type that httpd_t
can connect to (dns_port_t, http_port_t, ldap_port_t, kerberos_port_t,
ocsp_port_t).
If httpd is not supposed to connect to 25151, this could signal a intrusion
attempt.

Allowing Access:

If you want to allow httpd to connect to 25151, you can execute
semanage port -a -t PORT_TYPE -p tcp 25151
where PORT_TYPE is one of the following: dns_port_t, http_port_t, ldap_port_t,
kerberos_port_t, ocsp_port_t.

Additional Information:

Source Context                unconfined_u:system_r:httpd_t:s0
Target Context                system_u:object_r:port_t:s0
Target Objects                None [ tcp_socket ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          25151
Host                          (removed)
Source RPM Packages           httpd-2.2.13-4.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-55.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   connect_ports
Host Name                     (removed)
Platform                      Linux (removed) 2.6.31.6-166.fc12.x86_64 #1 SMP
                              Wed Dec 9 10:46:22 EST 2009 x86_64 x86_64
Alert Count                   16
First Seen                    Fri 11 Dec 2009 01:55:55 AM CET
Last Seen                     Fri 11 Dec 2009 11:28:44 PM CET
Local ID                      5394e20f-efa7-4996-8a13-57cedf365368
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1260570524.282:45502): avc:  denied  { name_connect } for  pid=7962 comm="httpd" dest=25151 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

node=(removed) type=SYSCALL msg=audit(1260570524.282:45502): arch=c000003e syscall=42 success=yes exit=128 a0=c a1=7f354ab002b8 a2=10 a3=7fff209b6bbc items=0 ppid=7957 pid=7962 auid=500 uid=48 gid=485 euid=48 suid=48 fsuid=48 egid=485 sgid=485 fsgid=485 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)



Hash String generated from  selinux-policy-3.6.32-55.fc12,connect_ports,httpd,httpd_t,port_t,tcp_socket,name_connect
audit2allow suggests:

#============= httpd_t ==============
allow httpd_t port_t:tcp_socket name_connect;
Comment 1 Daniel Walsh 2009-12-12 07:19:35 EST
You have changed the default way apache runs, so you need to tell SELinux about it.

If you want to change the ports the apache can connect to you can add this port to http_port_t


semanage port -a -t http_port_t -p tcp 25151

Running the avc through audit2allow it also shows booleans you could set.

# audit2allow -wi /tmp/t
node=(removed) type=AVC msg=audit(1260570524.282:45502): avc:  denied  { name_connect } for  pid=7962 comm="httpd" dest=25151 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

	Was caused by:
	One of the following booleans was set incorrectly.
	Description:
	Allow system to run with NIS

	Allow access by executing:
	# setsebool -P allow_ypbind 1
	Description:
	Allow HTTPD scripts and modules to connect to the network using TCP.

	Allow access by executing:
	# setsebool -P httpd_can_network_connect 1
Comment 2 Steve Traylen 2009-12-12 11:37:50 EST
I am meant to do this or it is meant to be added as policy within the RPMS.

Sure I can add it for now but for the future are these not meant to just
installed with the packages? i.e this is for cobbler itself to add 
in a cobbler-selinux package or something?

Remember I only reported since the "automatic bug reporting" tool suggested
that I did.

Steve
Comment 3 Daniel Walsh 2009-12-14 06:34:36 EST
Well If cobbler needs to setup apache to connect to port 25151 then maybe it should do it.  I am not going to setup every apache site in the world to connect to this port.  I would prefer that apache be setup to not be allowed to connect to any port by default and the administrator decide on which ports it can connect.

This would potentially prevent apache worms.  The goal with SELinux is to be as secure as possible by default, and have little admin.

Maybe the init script of the cobbler startup could check the port is defined and then define it if it in not defined.  This would only define it if some one actually turned on cobbler.
Comment 4 Steve Traylen 2009-12-14 07:22:35 EST
Hi Daniel,

Yes agreed its the responsibility of the cobbler package though I think
the method is to have a cobbler-selinux package the same as say:

The bug was auto-assigned to the selinux policy package , it should have
never have gone there.

# rpm -pql pure-ftpd-selinux-1.0.22-4.fc12.x86_64.rpm 
/usr/share/doc/pure-ftpd-selinux-1.0.22
/usr/share/doc/pure-ftpd-selinux-1.0.22/README.SELinux
/usr/share/selinux/packages/pure-ftpd/pureftpd.pp

that contains some policy that is loaded automatically.

Steve
Comment 5 Daniel Walsh 2009-12-14 07:54:55 EST
My only concern is the mere adding of the cobbler package does not indicate you are going to use it.  So if the cobbler package adds the port, apache will suddenly be able to connect.  Adding a policy for cobbler would be good, and I think this is being worked on.
Comment 6 Bug Zapper 2010-11-03 23:34:44 EDT
This message is a reminder that Fedora 12 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 12.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '12'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 12's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 12 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 7 Bug Zapper 2010-12-03 20:47:20 EST
Fedora 12 changed to end-of-life (EOL) status on 2010-12-02. Fedora 12 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.
Comment 8 Daver 2013-05-06 08:37:20 EDT
I have installed and configured cobbler and required setting as per the following link,
http://centoshowtos.org/installation/kickstart-cobbler-on-centos-server/

and i too get the following error..

Can Anyone help??

[root@puppetserver puppet]# cobbler status
httpd does not appear to be running and proxying cobbler, or SELinux is in the way. Original traceback:
Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/cobbler/cli.py", line 184, in check_setup
    s.ping()
  File "/usr/lib64/python2.6/xmlrpclib.py", line 1199, in __call__
    return self.__send(self.__name, args)
  File "/usr/lib64/python2.6/xmlrpclib.py", line 1489, in __request
    verbose=self.__verbose
  File "/usr/lib64/python2.6/xmlrpclib.py", line 1235, in request
    self.send_content(h, request_body)
  File "/usr/lib64/python2.6/xmlrpclib.py", line 1349, in send_content
    connection.endheaders()
  File "/usr/lib64/python2.6/httplib.py", line 908, in endheaders
    self._send_output()
  File "/usr/lib64/python2.6/httplib.py", line 780, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.6/httplib.py", line 739, in send
    self.connect()
  File "/usr/lib64/python2.6/httplib.py", line 720, in connect
    self.timeout)
  File "/usr/lib64/python2.6/socket.py", line 553, in create_connection
    for res in getaddrinfo(host, port, 0, SOCK_STREAM):
gaierror: [Errno -2] Name or service not known
Comment 9 Cristian Ciupitu 2013-05-06 16:10:31 EDT
(In reply to comment #8)

This bug report is for Fedora, not for CentOS. Also your issue doesn't
look similar to the one reported here.

Last, but not least, this is not a support forum. If you're having
issues with cobbler have a look at http://www.cobblerd.org/community.html

Note You need to log in before you can comment on or make changes to this bug.