Bug 798924 - SELinux is preventing /usr/sbin/cherokee-worker from 'name_connect' accesses on the None .
SELinux is preventing /usr/sbin/cherokee-worker from 'name_connect' accesses ...
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
16
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:2fdad1021eb5e194d82004562fe...
:
: 798921 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-03-01 04:42 EST by Renich Bon Ciric
Modified: 2012-03-21 09:58 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-03-01 06:53:04 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Renich Bon Ciric 2012-03-01 04:42:14 EST
libreport version: 2.0.8
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.2.7-1.fc16.x86_64
reason:         SELinux is preventing /usr/sbin/cherokee-worker from 'name_connect' accesses on the None .
time:           Thu 01 Mar 2012 03:42:05 AM CST

description:
:SELinux is preventing /usr/sbin/cherokee-worker from 'name_connect' accesses on the None .
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that cherokee-worker should be allowed name_connect access on the  <Unknown> by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep cherokee-worker /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:httpd_t:s0
:Target Context                system_u:object_r:unreserved_port_t:s0
:Target Objects                 [ None ]
:Source                        cherokee-worker
:Source Path                   /usr/sbin/cherokee-worker
:Port                          9000
:Host                          (removed)
:Source RPM Packages           cherokee-1.2.101-3.fc16.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-78.fc16.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.2.7-1.fc16.x86_64 #1 SMP
:                              Tue Feb 21 01:40:47 UTC 2012 x86_64 x86_64
:Alert Count                   25
:First Seen                    Thu 01 Mar 2012 03:40:08 AM CST
:Last Seen                     Thu 01 Mar 2012 03:40:19 AM CST
:Local ID                      d1e242f5-9fcf-4510-853b-ae2ca3337ad9
:
:Raw Audit Messages
:type=AVC msg=audit(1330594819.217:286): avc:  denied  { name_connect } for  pid=21608 comm="cherokee-worker" dest=9000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socketnode=(removed) type=SYSCALL msg=audit(1330594819.217:286): arch=c000003e syscall=42 success=no exit=-13 a0=27 a1=7fd8bc001bb8 a2=10 a3=7fd9a4325c7c items=0 ppid=21578 pid=21608 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="cherokee-worker" exe="/usr/sbin/cherokee-worker" subj=system_u:system_r:httpd_t:s0 key=(null)
:
:
:Hash: cherokee-worker,httpd_t,unreserved_port_t,None,name_connect
:
:audit2allow
:
:
:audit2allow -R
:
:
Comment 1 Miroslav Grepl 2012-03-01 06:53:04 EST
SELinux is preventing cherokee-worker from name_connect access on the tcp_socket .

*****  Plugin connect_ports (85.9 confidence) suggests  **********************

If you want to allow cherokee-worker to connect to network port 9000
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p tcp 9000
    where PORT_TYPE is one of the following: dns_port_t, ocsp_port_t, kerberos_port_t, ocsp_port_t, kerberos_port_t.

*****  Plugin catchall_boolean (7.33 confidence) suggests  *******************

If you want to allow system to run with NIS
Then you must tell SELinux about this by enabling the 'allow_ypbind'boolean.
Do
setsebool -P allow_ypbind 1

*****  Plugin catchall_boolean (7.33 confidence) suggests  *******************

If you want to allow HTTPD scripts and modules to connect to the network using any TCP port.
Then you must tell SELinux about this by enabling the 'httpd_can_network_connect' boolean. You can read 'httpd_selinux' man page for more details.
Do
setsebool -P httpd_can_network_connect 1
Comment 2 Miroslav Grepl 2012-03-01 06:53:48 EST
What is your version of setroubleshoot?
Comment 3 Miroslav Grepl 2012-03-01 06:54:27 EST
*** Bug 798921 has been marked as a duplicate of this bug. ***
Comment 4 Renich Bon Ciric 2012-03-01 14:55:03 EST
Ok, just wanted you to be aware of the fact that php-fmp is the new way of using PHP. The connection is from localhost. 

Just because one uses PHP we have to enable all TCP connections other than port 80?
Comment 5 Daniel Walsh 2012-03-01 16:04:01 EST
Renich are you saying that any php app is going to be connecting to random ports on localhost?  Or are you saying cherockee is?
Comment 6 Renich Bon Ciric 2012-03-01 20:06:48 EST
(In reply to comment #5)
> Renich are you saying that any php app is going to be connecting to random
> ports on localhost?  Or are you saying cherockee is?

It's not random. It's port 9000 when php-fmp is installed.

Here's the official website: http://php-fpm.org/

It is said it's going to be a default on PHP's future.

For now, when installing php-fmp, it always uses port 9000. When not, cherokee does pick a random port, I think, for it's localhost fcgi connection to the interpreter.

It would be possible to let cherokee, if you consider it feasible, connect to localhost TCP ports. I am not shure of this but, when using Python over fcgi and Ruby, it needs connections to these too.

I will copy the ruby and python maintainers to see if they can provide feedback on this.
Comment 7 Peter Robinson 2012-03-02 04:50:43 EST
I'm not a python or ruby maintainer so I presume adding me was in error
Comment 8 Daniel Walsh 2012-03-02 07:51:05 EST
Any change of using named sockets rather then network ports?
Comment 9 Renich Bon Ciric 2012-03-02 15:56:06 EST
(In reply to comment #7)
> I'm not a python or ruby maintainer so I presume adding me was in error

Sorry, Peter! I'm adding kanarip to this thread.
Comment 10 Renich Bon Ciric 2012-03-20 01:34:24 EDT
(In reply to comment #8)
> Any change of using named sockets rather then network ports?

Well, there is an option to configure php-fpm to use sockets: 

"listen_address - Address to accept fastcgi requests on. Valid syntax is 'ip.ad.re.ss:port' or just 'port' or '/path/to/unix/socket'. Default: 127.0.0.1:9000"

from: http://php-fpm.org/wiki/Configuration_File

I will include the php-fpm packager in order for him/her to take this into account (change to using sockets).

Either way, since the last update, it has become imposible to use cherokee and php-fpm. Some output:

type=AVC msg=audit(1332221002.269:241): avc:  denied  { name_connect } for  pid=14045 comm="cherokee-worker" dest=9000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1332221002.269:241): arch=c000003e syscall=42 success=no exit=-13 a0=24 a1=7f4028001b58 a2=10 a3=7f41051f7c7c items=0 ppid=14013 pid=14045 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="cherokee-worker" exe="/usr/sbin/cherokee-worker" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1332221002.270:242): avc:  denied  { name_connect } for  pid=14045 comm="cherokee-worker" dest=9000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1332221002.270:242): arch=c000003e syscall=42 success=no exit=-13 a0=24 a1=7f4028001b58 a2=10 a3=7f41051f7c7c items=0 ppid=14013 pid=14045 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="cherokee-worker" exe="/usr/sbin/cherokee-worker" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1332221002.311:243): avc:  denied  { open } for  pid=14357 comm="php-fpm" name="php-fpm.log" dev=dm-5 ino=1835075 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1332221002.311:243): arch=c000003e syscall=2 success=no exit=-13 a0=2d0a2c0 a1=441 a2=180 a3=3610c8cef0 items=0 ppid=14013 pid=14357 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1332221003.270:244): avc:  denied  { name_connect } for  pid=14045 comm="cherokee-worker" dest=9000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1332221003.270:244): arch=c000003e syscall=42 success=no exit=-13 a0=24 a1=7f4028001b58 a2=10 a3=7f41051f7c7c items=0 ppid=14013 pid=14045 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="cherokee-worker" exe="/usr/sbin/cherokee-worker" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1332221003.271:245): avc:  denied  { name_connect } for  pid=14045 comm="cherokee-worker" dest=9000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1332221003.271:245): arch=c000003e syscall=42 success=no exit=-13 a0=24 a1=7f4028001b58 a2=10 a3=7f41051f7c7c items=0 ppid=14013 pid=14045 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="cherokee-worker" exe="/usr/sbin/cherokee-worker" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1332221003.272:246): avc:  denied  { name_connect } for  pid=14045 comm="cherokee-worker" dest=9000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1332221003.272:246): arch=c000003e syscall=42 success=no exit=-13 a0=24 a1=7f4028001b58 a2=10 a3=7f41051f7c7c items=0 ppid=14013 pid=14045 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="cherokee-worker" exe="/usr/sbin/cherokee-worker" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1332221003.305:247): avc:  denied  { open } for  pid=14380 comm="php-fpm" name="php-fpm.log" dev=dm-5 ino=1835075 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1332221003.305:247): arch=c000003e syscall=2 success=no exit=-13 a0=214b2c0 a1=441 a2=180 a3=3610c8cef0 items=0 ppid=14013 pid=14380 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1332221004.274:248): avc:  denied  { name_connect } for  pid=14045 comm="cherokee-worker" dest=9000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1332221004.274:248): arch=c000003e syscall=42 success=no exit=-13 a0=24 a1=7f4028001b58 a2=10 a3=7f41051f7c7c items=0 ppid=14013 pid=14045 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="cherokee-worker" exe="/usr/sbin/cherokee-worker" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1332221004.275:249): avc:  denied  { name_connect } for  pid=14045 comm="cherokee-worker" dest=9000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1332221004.275:249): arch=c000003e syscall=42 success=no exit=-13 a0=24 a1=7f4028001b58 a2=10 a3=7f41051f7c7c items=0 ppid=14013 pid=14045 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="cherokee-worker" exe="/usr/sbin/cherokee-worker" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1332221004.275:250): avc:  denied  { name_connect } for  pid=14045 comm="cherokee-worker" dest=9000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1332221004.275:250): arch=c000003e syscall=42 success=no exit=-13 a0=24 a1=7f4028001b58 a2=10 a3=7f41051f7c7c items=0 ppid=14013 pid=14045 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="cherokee-worker" exe="/usr/sbin/cherokee-worker" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1332221004.313:251): avc:  denied  { open } for  pid=14409 comm="php-fpm" name="php-fpm.log" dev=dm-5 ino=1835075 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1332221004.313:251): arch=c000003e syscall=2 success=no exit=-13 a0=11c42c0 a1=441 a2=180 a3=3610c8cef0 items=0 ppid=14013 pid=14409 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1332221005.277:252): avc:  denied  { name_connect } for  pid=14045 comm="cherokee-worker" dest=9000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1332221005.277:252): arch=c000003e syscall=42 success=no exit=-13 a0=24 a1=7f4028001b58 a2=10 a3=7f41051f7c7c items=0 ppid=14013 pid=14045 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="cherokee-worker" exe="/usr/sbin/cherokee-worker" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1332221005.278:253): avc:  denied  { name_connect } for  pid=14045 comm="cherokee-worker" dest=9000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1332221005.278:253): arch=c000003e syscall=42 success=no exit=-13 a0=24 a1=7f4028001b58 a2=10 a3=7f41051f7c7c items=0 ppid=14013 pid=14045 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="cherokee-worker" exe="/usr/sbin/cherokee-worker" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1332221005.279:254): avc:  denied  { name_connect } for  pid=14045 comm="cherokee-worker" dest=9000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1332221005.279:254): arch=c000003e syscall=42 success=no exit=-13 a0=24 a1=7f4028001b58 a2=10 a3=7f41051f7c7c items=0 ppid=14013 pid=14045 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="cherokee-worker" exe="/usr/sbin/cherokee-worker" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1332221005.321:255): avc:  denied  { open } for  pid=14438 comm="php-fpm" name="php-fpm.log" dev=dm-5 ino=1835075 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1332221005.321:255): arch=c000003e syscall=2 success=no exit=-13 a0=17652c0 a1=441 a2=180 a3=3610c8cef0 items=0 ppid=14013 pid=14438 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1332221006.278:256): avc:  denied  { name_connect } for  pid=14045 comm="cherokee-worker" dest=9000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1332221006.278:256): arch=c000003e syscall=42 success=no exit=-13 a0=24 a1=7f4028001b58 a2=10 a3=7f41051f7c7c items=0 ppid=14013 pid=14045 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="cherokee-worker" exe="/usr/sbin/cherokee-worker" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1332221006.278:257): avc:  denied  { name_connect } for  pid=14045 comm="cherokee-worker" dest=9000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1332221006.278:257): arch=c000003e syscall=42 success=no exit=-13 a0=24 a1=7f4028001b58 a2=10 a3=7f41051f7c7c items=0 ppid=14013 pid=14045 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="cherokee-worker" exe="/usr/sbin/cherokee-worker" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1332221006.279:258): avc:  denied  { name_connect } for  pid=14045 comm="cherokee-worker" dest=9000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1332221006.279:258): arch=c000003e syscall=42 success=no exit=-13 a0=24 a1=7f4028001b58 a2=10 a3=7f41051f7c7c items=0 ppid=14013 pid=14045 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="cherokee-worker" exe="/usr/sbin/cherokee-worker" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1332221006.321:259): avc:  denied  { open } for  pid=14467 comm="php-fpm" name="php-fpm.log" dev=dm-5 ino=1835075 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1332221006.321:259): arch=c000003e syscall=2 success=no exit=-13 a0=11ca2c0 a1=441 a2=180 a3=3610c8cef0 items=0 ppid=14013 pid=14467 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1332221007.282:260): avc:  denied  { name_connect } for  pid=14045 comm="cherokee-worker" dest=9000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1332221007.282:260): arch=c000003e syscall=42 success=no exit=-13 a0=24 a1=7f4028001b58 a2=10 a3=7f41051f7c7c items=0 ppid=14013 pid=14045 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="cherokee-worker" exe="/usr/sbin/cherokee-worker" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1332221007.283:261): avc:  denied  { name_connect } for  pid=14045 comm="cherokee-worker" dest=9000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1332221007.283:261): arch=c000003e syscall=42 success=no exit=-13 a0=24 a1=7f4028001b58 a2=10 a3=7f41051f7c7c items=0 ppid=14013 pid=14045 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="cherokee-worker" exe="/usr/sbin/cherokee-worker" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1332221007.394:262): avc:  denied  { name_connect } for  pid=14033 comm="cherokee-worker" dest=9000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1332221007.394:262): arch=c000003e syscall=42 success=no exit=-13 a0=24 a1=7f40c0001bb8 a2=10 a3=7f410b203c7c items=0 ppid=14013 pid=14033 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="cherokee-worker" exe="/usr/sbin/cherokee-worker" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1332221007.394:263): avc:  denied  { name_connect } for  pid=14033 comm="cherokee-worker" dest=9000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1332221007.394:263): arch=c000003e syscall=42 success=no exit=-13 a0=24 a1=7f40c0001bb8 a2=10 a3=7f410b203c7c items=0 ppid=14013 pid=14033 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="cherokee-worker" exe="/usr/sbin/cherokee-worker" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1332221007.425:264): avc:  denied  { open } for  pid=14501 comm="php-fpm" name="php-fpm.log" dev=dm-5 ino=1835075 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1332221007.425:264): arch=c000003e syscall=2 success=no exit=-13 a0=11592c0 a1=441 a2=180 a3=3610c8cef0 items=0 ppid=14013 pid=14501 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1332221008.395:265): avc:  denied  { name_connect } for  pid=14033 comm="cherokee-worker" dest=9000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1332221008.395:265): arch=c000003e syscall=42 success=no exit=-13 a0=24 a1=7f40c0001bb8 a2=10 a3=7f410b203c7c items=0 ppid=14013 pid=14033 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="cherokee-worker" exe="/usr/sbin/cherokee-worker" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1332221008.395:266): avc:  denied  { name_connect } for  pid=14033 comm="cherokee-worker" dest=9000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1332221008.395:266): arch=c000003e syscall=42 success=no exit=-13 a0=24 a1=7f40c0001bb8 a2=10 a3=7f410b203c7c items=0 ppid=14013 pid=14033 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="cherokee-worker" exe="/usr/sbin/cherokee-worker" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1332221008.396:267): avc:  denied  { name_connect } for  pid=14033 comm="cherokee-worker" dest=9000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1332221008.396:267): arch=c000003e syscall=42 success=no exit=-13 a0=24 a1=7f40c0001bb8 a2=10 a3=7f410b203c7c items=0 ppid=14013 pid=14033 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="cherokee-worker" exe="/usr/sbin/cherokee-worker" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1332221008.433:268): avc:  denied  { open } for  pid=14531 comm="php-fpm" name="php-fpm.log" dev=dm-5 ino=1835075 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1332221008.433:268): arch=c000003e syscall=2 success=no exit=-13 a0=28e72c0 a1=441 a2=180 a3=3610c8cef0 items=0 ppid=14013 pid=14531 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1332221009.397:269): avc:  denied  { name_connect } for  pid=14033 comm="cherokee-worker" dest=9000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1332221009.397:269): arch=c000003e syscall=42 success=no exit=-13 a0=24 a1=7f40c0001bb8 a2=10 a3=7f410b203c7c items=0 ppid=14013 pid=14033 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="cherokee-worker" exe="/usr/sbin/cherokee-worker" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1332221009.398:270): avc:  denied  { name_connect } for  pid=14033 comm="cherokee-worker" dest=9000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1332221009.398:270): arch=c000003e syscall=42 success=no exit=-13 a0=24 a1=7f40c0001bb8 a2=10 a3=7f410b203c7c items=0 ppid=14013 pid=14033 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="cherokee-worker" exe="/usr/sbin/cherokee-worker" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1332221009.399:271): avc:  denied  { name_connect } for  pid=14033 comm="cherokee-worker" dest=9000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1332221009.399:271): arch=c000003e syscall=42 success=no exit=-13 a0=24 a1=7f40c0001bb8 a2=10 a3=7f410b203c7c items=0 ppid=14013 pid=14033 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="cherokee-worker" exe="/usr/sbin/cherokee-worker" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1332221009.435:272): avc:  denied  { open } for  pid=14560 comm="php-fpm" name="php-fpm.log" dev=dm-5 ino=1835075 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1332221009.435:272): arch=c000003e syscall=2 success=no exit=-13 a0=2d1f2c0 a1=441 a2=180 a3=3610c8cef0 items=0 ppid=14013 pid=14560 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1332221010.399:273): avc:  denied  { name_connect } for  pid=14033 comm="cherokee-worker" dest=9000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1332221010.399:273): arch=c000003e syscall=42 success=no exit=-13 a0=24 a1=7f40c0001bb8 a2=10 a3=7f410b203c7c items=0 ppid=14013 pid=14033 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="cherokee-worker" exe="/usr/sbin/cherokee-worker" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1332221010.399:274): avc:  denied  { name_connect } for  pid=14033 comm="cherokee-worker" dest=9000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1332221010.399:274): arch=c000003e syscall=42 success=no exit=-13 a0=24 a1=7f40c0001bb8 a2=10 a3=7f410b203c7c items=0 ppid=14013 pid=14033 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="cherokee-worker" exe="/usr/sbin/cherokee-worker" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1332221010.400:275): avc:  denied  { name_connect } for  pid=14033 comm="cherokee-worker" dest=9000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1332221010.400:275): arch=c000003e syscall=42 success=no exit=-13 a0=24 a1=7f40c0001bb8 a2=10 a3=7f410b203c7c items=0 ppid=14013 pid=14033 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="cherokee-worker" exe="/usr/sbin/cherokee-worker" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1332221010.434:276): avc:  denied  { open } for  pid=14589 comm="php-fpm" name="php-fpm.log" dev=dm-5 ino=1835075 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1332221010.434:276): arch=c000003e syscall=2 success=no exit=-13 a0=19ba2c0 a1=441 a2=180 a3=3610c8cef0 items=0 ppid=14013 pid=14589 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1332221011.402:277): avc:  denied  { name_connect } for  pid=14033 comm="cherokee-worker" dest=9000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1332221011.402:277): arch=c000003e syscall=42 success=no exit=-13 a0=24 a1=7f40c0001bb8 a2=10 a3=7f410b203c7c items=0 ppid=14013 pid=14033 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="cherokee-worker" exe="/usr/sbin/cherokee-worker" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1332221011.403:278): avc:  denied  { name_connect } for  pid=14033 comm="cherokee-worker" dest=9000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1332221011.403:278): arch=c000003e syscall=42 success=no exit=-13 a0=24 a1=7f40c0001bb8 a2=10 a3=7f410b203c7c items=0 ppid=14013 pid=14033 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="cherokee-worker" exe="/usr/sbin/cherokee-worker" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1332221011.404:279): avc:  denied  { name_connect } for  pid=14033 comm="cherokee-worker" dest=9000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1332221011.404:279): arch=c000003e syscall=42 success=no exit=-13 a0=24 a1=7f40c0001bb8 a2=10 a3=7f410b203c7c items=0 ppid=14013 pid=14033 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="cherokee-worker" exe="/usr/sbin/cherokee-worker" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1332221011.436:280): avc:  denied  { open } for  pid=14618 comm="php-fpm" name="php-fpm.log" dev=dm-5 ino=1835075 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1332221011.436:280): arch=c000003e syscall=2 success=no exit=-13 a0=28e02c0 a1=441 a2=180 a3=3610c8cef0 items=0 ppid=14013 pid=14618 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1332221012.404:281): avc:  denied  { name_connect } for  pid=14033 comm="cherokee-worker" dest=9000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1332221012.404:281): arch=c000003e syscall=42 success=no exit=-13 a0=24 a1=7f40c0001bb8 a2=10 a3=7f410b203c7c items=0 ppid=14013 pid=14033 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="cherokee-worker" exe="/usr/sbin/cherokee-worker" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1332221012.404:282): avc:  denied  { name_connect } for  pid=14033 comm="cherokee-worker" dest=9000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1332221012.404:282): arch=c000003e syscall=42 success=no exit=-13 a0=24 a1=7f40c0001bb8 a2=10 a3=7f410b203c7c items=0 ppid=14013 pid=14033 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="cherokee-worker" exe="/usr/sbin/cherokee-worker" subj=system_u:system_r:httpd_t:s0 key=(null)
Comment 11 Daniel Walsh 2012-03-20 12:11:39 EDT
Turn on the httpd_can_network_connect boolean.

setsebool -P httpd_can_network_connect 1

What directory is php-fpm.log being created in?
Comment 12 Renich Bon Ciric 2012-03-21 01:19:19 EDT
(In reply to comment #11)
> Turn on the httpd_can_network_connect boolean.
> 
> setsebool -P httpd_can_network_connect 1

As I mentioned before, this seems too much but, ok; I will do so ;=s. The socket alternative you mentioned seems a lot better...

> What directory is php-fpm.log being created in?

/var/log/php-fpm
Comment 13 Daniel Walsh 2012-03-21 09:58:45 EDT
chcon -t httpd_log_t /var/log/php-fpm

I just changed this in F17.

Sorry I did not read the entire bugzilla.  A better solution would be to change the label on the port.

Note You need to log in before you can comment on or make changes to this bug.