-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Joel Gomberg wrote: > Stuart Sears wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Joel Gomberg wrote: >>> Joel Gomberg wrote: >>>> My library uses port 8080 for accessing its catalog: >>>> >>>> http://oaklandlibrary.org:8080/ipac20/ipac.jsp?profile=#focus >>>> >>>> SELinux denies access. With setenforce=0, access is permitted, so I'm >>>> sure it's a SELinux issue. After perusing the SELinux FAQ, I issued >>>> this command: >>>> >>>> semanage port -a -p tcp -t http_port_t 8080. >>>> >>>> The response was that port 8080 was already defined. >>>> >>>> Suggestions are welcome. >>> I forgot to include the relevant audit log entry: >>> >>> type=AVC msg=audit(1145058006.474:1026): avc: denied { name_connect } >>> for pid=13185 comm="privoxy" dest=8080 >>> scontext=system_u:system_r:privoxy_t:s0 >>> >>> -- >>> Joel >>> >> try: >> semanage port -l | grep 8080 >> >> you should see something like: >> http_cache_port_t tcp 3128, 8080, 8118 >> >> if you want to allow privoxy_t access to this port as well, you could >> attempt this: >> semanage port -m -p tcp -t privoxy_t 8080 >> >> notice the -m instead of the -a (you're modifying an already defined >> port, rather than adding a new one) >> >> see if that helps > > No go. The denial message has changed slightly, though: > > type=AVC msg=audit(1145112509.543:104): avc: denied { name_connect } > for pid=4137 comm="privoxy" dest=8080 > scontext=system_u:system_r:privoxy_t:s0 > tcontext=system_u:object_r:privoxy_t:s0 tclass=tcp_socket okay, it looks like we're in need of a number of policy changes to permit privoxy_t to do its job. first set permissive mode setenforce 0 then... are you running auditd? audit2allow -i /var/log/audit/audit.log (if you are) audit2allow -i /var/log/messages (if you aren't) it will tell you what you have to permit privoxy_t to do before it can bind to port 8080. I have a feeling it is going to need a few changes to the reference policy much of this may be best posted to fedora-selinux-list where the SELinux bigwigs hang out. They are far more expert on this than I Stuart - -- Stuart Sears RHCA RHCX To err is human, to forgive is Not Company Policy. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFEQS+KamPtx1brPQ4RAhBhAJ9kbQIg+7nWamXuoiPdUaGZje/uDQCfYT4O 4CHuqF8yq7l4BJhQCn8qMjE= =+7RG -----END PGP SIGNATURE-----
