Summary: SELinux is preventing /usr/sbin/lighttpd from connecting to port 1026. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux has denied lighttpd from connecting to a network port 1026 which does not have an SELinux type associated with it. If lighttpd should be allowed to connect on 1026, use the semanage command to assign 1026 to a port type that httpd_t can connect to (ldap_port_t, dns_port_t, http_port_t, kerberos_port_t, ocsp_port_t). If lighttpd is not supposed to connect to 1026, this could signal a intrusion attempt. Allowing Access: If you want to allow lighttpd to connect to 1026, you can execute semanage port -a -t PORT_TYPE -p tcp 1026 where PORT_TYPE is one of the following: ldap_port_t, dns_port_t, http_port_t, kerberos_port_t, ocsp_port_t. Additional Information: Source Context unconfined_u:system_r:httpd_t:s0 Target Context system_u:object_r:port_t:s0 Target Objects None [ tcp_socket ] Source lighttpd Source Path /usr/sbin/lighttpd Port 1026 Host (removed) Source RPM Packages lighttpd-1.4.26-2.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-13.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name connect_ports Host Name (removed) Platform Linux (removed) 2.6.33.3-85.fc13.i686 #1 SMP Thu May 6 18:44:12 UTC 2010 i686 i686 Alert Count 1 First Seen Tue 18 May 2010 21:31:55 CEST Last Seen Tue 18 May 2010 21:31:55 CEST Local ID 6b8a1388-e072-446c-87f2-58c41ff324cb Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1274211115.130:20664): avc: denied { name_connect } for pid=2626 comm="lighttpd" dest=1026 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket node=(removed) type=SYSCALL msg=audit(1274211115.130:20664): arch=40000003 syscall=102 success=no exit=-111 a0=3 a1=bfe4f3a0 a2=875b0c a3=9355968 items=0 ppid=1 pid=2626 auid=500 uid=488 gid=488 euid=488 suid=488 fsuid=488 egid=488 sgid=488 fsgid=488 tty=(none) ses=1 comm="lighttpd" exe="/usr/sbin/lighttpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) Hash String generated from connect_ports,lighttpd,httpd_t,port_t,tcp_socket,name_connect audit2allow suggests: #============= httpd_t ============== #!!!! This avc can be allowed using one of the these booleans: # allow_ypbind, allow_ypbind allow httpd_t port_t:tcp_socket name_connect;
this happens, when using lighttpd via fastcgi to process php scripts: fastcgi.server = ( ".php" => ( "localhost" => ( "host" => "127.0.0.1", "port" => 1026, "bin-path" => "/usr/bin/php-cgi" ) ) )
If you want apache to connect to other ports then you need to either define those ports as http_port_t as defined above, or set the httpd_can_network_connect # setsebool -P httpd_can_network_connect