Bug 667278 - SELinux is preventing /usr/sbin/httpd from 'name_connect' accesses on the tcp_socket port 3050.
Summary: SELinux is preventing /usr/sbin/httpd from 'name_connect' accesses on the tcp...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 14
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:ccc9ecaf256...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-01-05 02:36 UTC by juan
Modified: 2011-08-07 09:36 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-3.9.7-42.fc14
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-07-12 05:16:21 UTC
Type: ---


Attachments (Terms of Use)

Description juan 2011-01-05 02:36:27 UTC
SELinux is preventing /usr/sbin/httpd from 'name_connect' accesses on the tcp_socket port 3050.

*****  Plugin connect_ports (85.9 confidence) suggests  **********************

If you want to allow /usr/sbin/httpd to connect to network port 3050
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p tcp 3050
    where PORT_TYPE is one of the following: ldap_port_t, dns_port_t, http_port_t, kerberos_port_t, ocsp_port_t.

*****  Plugin catchall_boolean (7.33 confidence) suggests  *******************

If you want to allow system to run with NIS
Then you must tell SELinux about this by enabling the 'allow_ypbind' boolean.
Do
setsebool -P allow_ypbind 1

*****  Plugin catchall_boolean (7.33 confidence) suggests  *******************

If you want to allow HTTPD scripts and modules to connect to the network using any TCP port.
Then you must tell SELinux about this by enabling the 'httpd_can_network_connect' boolean.
Do
setsebool -P httpd_can_network_connect 1

*****  Plugin catchall (1.35 confidence) suggests  ***************************

If you believe that httpd should be allowed name_connect access on the port 3050 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep /usr/sbin/httpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:port_t:s0
Target Objects                port 3050 [ tcp_socket ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          3050
Host                          (removed)
Source RPM Packages           httpd-2.2.17-1.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-19.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux host.localdomain 2.6.35.10-74.fc14.x86_64 #1
                              SMP Thu Dec 23 16:04:50 UTC 2010 x86_64 x86_64
Alert Count                   8
First Seen                    mar 04 ene 2011 18:10:21 MST
Last Seen                     mar 04 ene 2011 18:57:41 MST
Local ID                      08d21df1-5b04-406b-9d27-85645ad92f7b

Raw Audit Messages
type=AVC msg=audit(1294192661.590:72): avc:  denied  { name_connect } for  pid=6809 comm="httpd" dest=3050 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

httpd,httpd_t,port_t,tcp_socket,name_connect
type=SYSCALL msg=audit(1294192661.590:72): arch=x86_64 syscall=connect success=no exit=EHOSTUNREACH a0=13 a1=7fff2928dcb0 a2=10 a3=1 items=0 ppid=1799 pid=6809 auid=4294967295 uid=48 gid=488 euid=48 suid=48 fsuid=48 egid=488 sgid=488 fsgid=488 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)
httpd,httpd_t,port_t,tcp_socket,name_connect

#============= httpd_t ==============
#!!!! This avc can be allowed using one of the these booleans:
#     allow_ypbind, httpd_can_network_connect

allow httpd_t port_t:tcp_socket name_connect;

Comment 1 juan 2011-01-05 02:45:04 UTC
I don't find a selinux port type for firebird

Comment 2 Miroslav Grepl 2011-01-05 08:42:21 UTC
juan,
execute:

# semanage port -a -t mysqld_port_t -p tcp 3050
# setsebool -P httpd_can_network_connect_db 1

Comment 3 Daniel Walsh 2011-01-05 19:16:59 UTC
Should we make this permanent?

Comment 4 Philippe Makowski 2011-04-25 13:03:05 UTC
adding firebird port 3050 would be nice yes

Comment 5 Daniel Walsh 2011-04-25 13:16:50 UTC
I think it makes most sense to define this as the firebird_port_t and then allow apache to connect to it if the httpd_can_network_connect_db boolean is turned on.

I made the changes in Rawhide.

Comment 6 Miroslav Grepl 2011-05-27 09:03:46 UTC
Fixed in selinux-policy-3.9.7-42.fc14

Comment 7 Fedora Update System 2011-05-27 15:45:11 UTC
selinux-policy-3.9.7-42.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-42.fc14

Comment 8 Fedora Update System 2011-05-27 20:27:09 UTC
Package selinux-policy-3.9.7-42.fc14:
* should fix your issue,
* was pushed to the Fedora 14 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.7-42.fc14'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-42.fc14
then log in and leave karma (feedback).

Comment 9 Fedora Update System 2011-07-12 05:14:28 UTC
selinux-policy-3.9.7-42.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.