Bug 593450 - SELinux is preventing /usr/sbin/lighttpd from connecting to port 1026.
Summary: SELinux is preventing /usr/sbin/lighttpd from connecting to port 1026.
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 13
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:af4cb305b49...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-05-18 19:33 UTC by Matthias Runge
Modified: 2010-05-18 19:39 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-05-18 19:39:56 UTC
Type: ---


Attachments (Terms of Use)

Description Matthias Runge 2010-05-18 19:33:22 UTC
Summary:

SELinux is preventing /usr/sbin/lighttpd from connecting to port 1026.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux has denied lighttpd from connecting to a network port 1026 which does
not have an SELinux type associated with it. If lighttpd should be allowed to
connect on 1026, use the semanage command to assign 1026 to a port type that
httpd_t can connect to (ldap_port_t, dns_port_t, http_port_t, kerberos_port_t,
ocsp_port_t).
If lighttpd is not supposed to connect to 1026, this could signal a intrusion
attempt.

Allowing Access:

If you want to allow lighttpd to connect to 1026, you can execute
semanage port -a -t PORT_TYPE -p tcp 1026
where PORT_TYPE is one of the following: ldap_port_t, dns_port_t, http_port_t,
kerberos_port_t, ocsp_port_t.

Additional Information:

Source Context                unconfined_u:system_r:httpd_t:s0
Target Context                system_u:object_r:port_t:s0
Target Objects                None [ tcp_socket ]
Source                        lighttpd
Source Path                   /usr/sbin/lighttpd
Port                          1026
Host                          (removed)
Source RPM Packages           lighttpd-1.4.26-2.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-13.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   connect_ports
Host Name                     (removed)
Platform                      Linux (removed) 2.6.33.3-85.fc13.i686 #1 SMP Thu May
                              6 18:44:12 UTC 2010 i686 i686
Alert Count                   1
First Seen                    Tue 18 May 2010 21:31:55 CEST
Last Seen                     Tue 18 May 2010 21:31:55 CEST
Local ID                      6b8a1388-e072-446c-87f2-58c41ff324cb
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1274211115.130:20664): avc:  denied  { name_connect } for  pid=2626 comm="lighttpd" dest=1026 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

node=(removed) type=SYSCALL msg=audit(1274211115.130:20664): arch=40000003 syscall=102 success=no exit=-111 a0=3 a1=bfe4f3a0 a2=875b0c a3=9355968 items=0 ppid=1 pid=2626 auid=500 uid=488 gid=488 euid=488 suid=488 fsuid=488 egid=488 sgid=488 fsgid=488 tty=(none) ses=1 comm="lighttpd" exe="/usr/sbin/lighttpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)



Hash String generated from  connect_ports,lighttpd,httpd_t,port_t,tcp_socket,name_connect
audit2allow suggests:

#============= httpd_t ==============
#!!!! This avc can be allowed using one of the these booleans:
#     allow_ypbind, allow_ypbind

allow httpd_t port_t:tcp_socket name_connect;

Comment 1 Matthias Runge 2010-05-18 19:37:36 UTC
this happens, when using lighttpd via fastcgi to process php scripts:
fastcgi.server = ( ".php" =>
                   ( "localhost" =>
                     (
                       "host" => "127.0.0.1",
                       "port" => 1026,
                       "bin-path" => "/usr/bin/php-cgi"
                     )
                   )
                )

Comment 2 Daniel Walsh 2010-05-18 19:39:56 UTC
If you want apache to connect to other ports then you need to either define
those ports as http_port_t as defined above, or set the
httpd_can_network_connect 

# setsebool -P httpd_can_network_connect


Note You need to log in before you can comment on or make changes to this bug.