SELinux is preventing /usr/lib/squid/cachemgr.cgi from 'name_connect' accesses on the tcp_socket port 3128. Additional Information: Source Context system_u:system_r:httpd_squid_script_t:SystemLow Target Context system_u:object_r:squid_port_t:SystemLow Target Objects port 3128 [ tcp_socket ] Source cachemgr.cgi Source Path /usr/lib/squid/cachemgr.cgi Port 3128 Host (removed) Source RPM Packages squid-3.1.9-3.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-18.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux beren.home 2.6.35.9-64.0mac1.fc14.i686 #1 SMP Tue Dec 7 06:36:17 EST 2010 i686 i686 Alert Count 2 First Seen Sun 26 Dec 2010 22:42:28 EST Last Seen Sun 26 Dec 2010 22:42:35 EST Local ID 009ee2eb-1551-4afb-8143-dc6404cd1c08 Raw Audit Messages type=AVC msg=audit(1293363755.905:557): avc: denied { name_connect } for pid=8558 comm="cachemgr.cgi" dest=3128 scontext=system_u:system_r:httpd_squid_script_t:s0 tcontext=system_u:object_r:squid_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1293363755.905:557): arch=i386 syscall=socketcall success=no exit=EACCES a0=3 a1=bf81abc0 a2=8dce48 a3=3 items=0 ppid=6149 pid=8558 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=cachemgr.cgi exe=/usr/lib/squid/cachemgr.cgi subj=system_u:system_r:httpd_squid_script_t:s0 key=(null) cachemgr.cgi,httpd_squid_script_t,squid_port_t,tcp_socket,name_connect #============= httpd_squid_script_t ============== allow httpd_squid_script_t squid_port_t:tcp_socket name_connect;
Squid's default port is 3128, squid_port_t. cachemgr.cgi needs to be able to connect to this, however the SELinux policy only allows it to connect to port 8080, httpd_cache_port_t: # policy/modules/services/squid.te, line 187 corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
Seems reasonable.
Fixed in selinux-policy-3.9.7-20.fc14
selinux-policy-3.9.7-20.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-20.fc14
selinux-policy-3.9.7-20.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-20.fc14
selinux-policy-3.9.7-20.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.