Description of problem: $ sudo yum install polipo $ sudo service polipo start SELinux is preventing /usr/bin/polipo from 'name_bind' accesses on the tcp_socket . ***** Plugin bind_ports (99.5 confidence) suggests ************************* If you want to allow /usr/bin/polipo to bind to network port 8123 Then you need to modify the port type. Do # semanage port -a -t PORT_TYPE -p tcp 8123 where PORT_TYPE is one of the following: http_cache_port_t. ***** Plugin catchall (1.49 confidence) suggests *************************** If you believe that polipo should be allowed name_bind access on the tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep polipo /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:polipo_t:s0 Target Context system_u:object_r:unreserved_port_t:s0 Target Objects [ tcp_socket ] Source polipo Source Path /usr/bin/polipo Port 8123 Host (removed) Source RPM Packages polipo-1.0.4.1-9.fc18.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-59.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.6.9-4.fc18.x86_64 #1 SMP Tue Dec 4 14:12:51 UTC 2012 x86_64 x86_64 Alert Count 1 First Seen 2012-12-05 23:42:59 PST Last Seen 2012-12-05 23:42:59 PST Local ID ac755af2-5ca1-46f8-b0ef-1ea724085052 Raw Audit Messages type=AVC msg=audit(1354779779.252:407): avc: denied { name_bind } for pid=5304 comm="polipo" src=8123 scontext=system_u:system_r:polipo_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1354779779.252:407): arch=x86_64 syscall=bind success=no exit=EACCES a0=0 a1=7fff53cf1300 a2=10 a3=7fff53cf1070 items=0 ppid=1 pid=5304 auid=4294967295 uid=989 gid=986 euid=989 suid=989 fsuid=989 egid=986 sgid=986 fsgid=986 tty=(none) ses=4294967295 comm=polipo exe=/usr/bin/polipo subj=system_u:system_r:polipo_t:s0 key=(null) Hash: polipo,polipo_t,unreserved_port_t,tcp_socket,name_bind audit2allow #============= polipo_t ============== #!!!! This avc can be allowed using the boolean 'nis_enabled' allow polipo_t unreserved_port_t:tcp_socket name_bind; audit2allow -R #============= polipo_t ============== #!!!! This avc can be allowed using the boolean 'nis_enabled' allow polipo_t unreserved_port_t:tcp_socket name_bind; Additional info: hashmarkername: setroubleshoot kernel: 3.6.9-4.fc18.x86_64 type: libreport
Did you configure polipo to use tcp/8123 port?
I did not change the configuration to use that port. Digging around further, I notice port 8123 is no longer in http_cache_port_t. ---- Output from Fedora 18 Beta: $ sepolicy network -d polipo_t polipo_t: tcp name_connect dns_port_t: 53 http_port_t: 80,81,443,488,8008,8009,8443,9000 ocsp_port_t: 9080 kerberos_port_t: 88,750,4444 polipo_t: tcp name_bind http_cache_port_t: 8080,8118,10001-10010 $ sudo semanage port -l | grep http_cache_port http_cache_port_t tcp 8080, 8118, 10001-10010 http_cache_port_t udp 3130 ---- Output from Fedora 17: $ sudo semanage port -l | grep http_cache_port http_cache_port_t tcp 8080, 8118, 8123, 10001-10010 http_cache_port_t udp 3130
Ah, you are right. commit 98281e9adfaa785c68e1e2f434d851baa7f76de7 Author: Miroslav Grepl <mgrepl> Date: Fri Dec 7 11:47:53 2012 +0100 Add back tcp/8123 port as http_cache port
selinux-policy-3.11.1-62.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-62.fc18
Package selinux-policy-3.11.1-62.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-62.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-20203/selinux-policy-3.11.1-62.fc18 then log in and leave karma (feedback).
selinux-policy-3.11.1-66.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-66.fc18
selinux-policy-3.11.1-66.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.