Additional info: libreport version: 2.0.16 kernel: 3.5.3-1.fc17.x86_64 description: :SELinux is preventing /usr/sbin/httpd from 'name_connect' accesses on the tcp_socket . : :***** Plugin connect_ports (99.5 confidence) suggests ********************** : :If you want to allow /usr/sbin/httpd to connect to network port 6543 :Then you need to modify the port type. :Do :# semanage port -a -t PORT_TYPE -p tcp 6543 : where PORT_TYPE is one of the following: dns_port_t, ocsp_port_t, kerberos_port_t, http_port_t, ocsp_port_t, kerberos_port_t. : :***** Plugin catchall (1.49 confidence) suggests *************************** : :If you believe that httpd should be allowed name_connect access on the tcp_socket by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep httpd /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:httpd_t:s0 :Target Context system_u:object_r:unreserved_port_t:s0 :Target Objects [ tcp_socket ] :Source httpd :Source Path /usr/sbin/httpd :Port 6543 :Host (removed) :Source RPM Packages httpd-2.2.22-4.fc17.x86_64 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-156.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.5.3-1.fc17.x86_64 #1 SMP Wed Aug : 29 18:46:34 UTC 2012 x86_64 x86_64 :Alert Count 4 :First Seen 2012-10-24 23:41:41 BST :Last Seen 2012-10-26 18:42:01 BST :Local ID 988361fb-6c6a-48f0-bed5-8bd8bd42d3b4 : :Raw Audit Messages :type=AVC msg=audit(1351273321.794:5167): avc: denied { name_connect } for pid=32464 comm="httpd" dest=6543 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket : : :type=SYSCALL msg=audit(1351273321.794:5167): arch=x86_64 syscall=connect success=no exit=EACCES a0=c a1=7f930f9996c8 a2=10 a3=40 items=0 ppid=27684 pid=32464 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) : :Hash: httpd,httpd_t,unreserved_port_t,tcp_socket,name_connect : :audit2allow : :#============= httpd_t ============== :#!!!! This avc can be allowed using one of the these booleans: :# allow_ypbind, httpd_can_network_connect : :allow httpd_t unreserved_port_t:tcp_socket name_connect; : :audit2allow -R : :#============= httpd_t ============== :#!!!! This avc can be allowed using one of the these booleans: :# allow_ypbind, httpd_can_network_connect : :allow httpd_t unreserved_port_t:tcp_socket name_connect; :
Created attachment 633996 [details] File: type
Created attachment 633997 [details] File: hashmarkername
Why is apache trying to connect to 6543?
In _my_ case 6543 is the port that mythweb httpd module uses to communicate with the (myth tv) mythbackend server. Before there's a fix (if there's a fix), is there a suggested workaround? (e.g. just randomly pick and assign one of the allowed port types above?)
Well I would pick http_port_t, should make the tool a little bit smarter to pick sort the list of possible ports with the most match. semanage port -a -t http_port_t -p tcp 6543
Thanks... http_port_t makes sense. If it matters, for me, port 6544 also requires the same access opened, for the same reason.
You can define that port as an http_port_t also.