Bug 872624 - SELinux is preventing /usr/sbin/httpd (deleted) from 'name_connect' accesses on the tcp_socket .
Summary: SELinux is preventing /usr/sbin/httpd (deleted) from 'name_connect' accesses ...
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: setroubleshoot-plugins
Version: 18
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:f55faa448aa60c909e2400fdb28...
: 989869 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-11-02 15:34 UTC by Nikhil John
Modified: 2013-11-25 14:01 UTC (History)
6 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2013-11-25 14:01:09 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
File: type (9 bytes, text/plain)
2012-11-02 15:34 UTC, Nikhil John 		no flags Details
File: hashmarkername (14 bytes, text/plain)
2012-11-02 15:35 UTC, Nikhil John 		no flags Details
View All

Description Nikhil John 2012-11-02 15:34:54 UTC 
Additional info:
libreport version: 2.0.18
kernel:         3.6.1-1.fc18.x86_64

description:
:SELinux is preventing /usr/sbin/httpd (deleted) from 'name_connect' accesses on the tcp_socket .
:
:*****  Plugin catchall_boolean (47.5 confidence) suggests  *******************
:
:If you want to httpd_can_network_connect
:Then you must tell SELinux about this by enabling the 'httpd_can_network_connect' boolean.You can read 'mysqld_selinux' man page for more details.
:Do
:setsebool -P httpd_can_network_connect 1
:
:*****  Plugin catchall_boolean (47.5 confidence) suggests  *******************
:
:If you want to httpd_can_network_connect_db
:Then you must tell SELinux about this by enabling the 'httpd_can_network_connect_db' boolean.You can read 'mysqld_selinux' man page for more details.
:Do
:setsebool -P httpd_can_network_connect_db 1
:
:*****  Plugin catchall (6.38 confidence) suggests  ***************************
:
:If you believe that httpd (deleted) should be allowed name_connect access on the  tcp_socket by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep httpd /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:httpd_t:s0
:Target Context                system_u:object_r:mysqld_port_t:s0
:Target Objects                 [ tcp_socket ]
:Source                        httpd
:Source Path                   /usr/sbin/httpd (deleted)
:Port                          3306
:Host                          (removed)
:Source RPM Packages           
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.11.1-46.fc18.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.6.1-1.fc18.x86_64 #1 SMP Mon Oct
:                              8 17:19:09 UTC 2012 x86_64 x86_64
:Alert Count                   1
:First Seen                    2012-11-02 21:02:40 IST
:Last Seen                     2012-11-02 21:02:40 IST
:Local ID                      12be1b22-6e81-4c2c-91af-f4714546ebda
:
:Raw Audit Messages
:type=AVC msg=audit(1351870360.360:470): avc:  denied  { name_connect } for  pid=913 comm="httpd" dest=3306 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
:
:
:type=SYSCALL msg=audit(1351870360.360:470): arch=x86_64 syscall=connect success=no exit=EACCES a0=3 a1=7f77dc376ce8 a2=10 a3=7fffd74b5300 items=0 ppid=1 pid=913 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=httpd exe=2F7573722F7362696E2F6874747064202864656C6574656429 subj=system_u:system_r:httpd_t:s0 key=(null)
:
:Hash: httpd,httpd_t,mysqld_port_t,tcp_socket,name_connect
:
:audit2allow
:
:#============= httpd_t ==============
:#!!!! This avc can be allowed using one of the these booleans:
:#     httpd_can_network_connect, httpd_can_network_connect_db
:
:allow httpd_t mysqld_port_t:tcp_socket name_connect;
:
:audit2allow -R
:
:#============= httpd_t ==============
:#!!!! This avc can be allowed using one of the these booleans:
:#     httpd_can_network_connect, httpd_can_network_connect_db
:
:allow httpd_t mysqld_port_t:tcp_socket name_connect;
:
Comment 1 Nikhil John 2012-11-02 15:34:58 UTC 
Created attachment 637133 [details]
File: type
Comment 2 Nikhil John 2012-11-02 15:35:00 UTC 
Created attachment 637134 [details]
File: hashmarkername
Comment 3 Miroslav Grepl 2012-11-05 09:44:51 UTC 
The Alert tells you what to do.

If you want to httpd_can_network_connect_db. Then you must tell SELinux about this by enabling the 'httpd_can_network_connect_db' boolean. You can read 'mysqld_selinux' man page for more details.

Do

# setsebool -P httpd_can_network_connect_db 1
Comment 4 Miroslav Grepl 2012-11-05 09:51:34 UTC 
Dan,
it looks like we have a bug here.

"Then you must tell SELinux about this by enabling the 'httpd_can_network_connect' boolean.You can read 'mysqld_selinux' man page for more details."

We talk about 'mysqld_selinux' instead of 'httpd_selinux'


Patch:

--- /usr/share/setroubleshoot/plugins/catchall_boolean.py.old	2012-11-05 10:49:06.148612989 +0100
+++ /usr/share/setroubleshoot/plugins/catchall_boolean.py	2012-11-05 10:49:49.337631939 +0100
@@ -73,7 +73,7 @@
         return text
         
     def analyze(self, avc):
-        man_page = self.check_for_man(avc.tcontext.type)
+        man_page = self.check_for_man(avc.scontext.type)
Comment 5 Miroslav Grepl 2013-07-30 08:53:07 UTC 
*** Bug 989869 has been marked as a duplicate of this bug. ***
Comment 6 Renato Biancalana da Silva 2013-11-23 18:05:16 UTC 
Description of problem:
When I try to open a virtual host of a project that uses CodeIgniter and configured to access my online DB

Additional info:
reporter:       libreport-2.1.9
hashmarkername: setroubleshoot
kernel:         3.11.8-200.fc19.x86_64
type:           libreport
Note You need to log in before you can comment on or make changes to this bug.