Re: SELinux blocks my library catalog

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Stuart Sears wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joel Gomberg wrote:
Stuart Sears wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joel Gomberg wrote:
Joel Gomberg wrote:
My library uses port 8080 for accessing its catalog:

http://oaklandlibrary.org:8080/ipac20/ipac.jsp?profile=#focus

SELinux denies access.  With setenforce=0, access is permitted, so I'm
sure it's a SELinux issue.  After perusing the SELinux FAQ, I issued
this command:

semanage port -a -p tcp -t http_port_t 8080.

The response was that port 8080 was already defined.

Suggestions are welcome.
I forgot to include the relevant audit log entry:

type=AVC msg=audit(1145058006.474:1026): avc:  denied  { name_connect }
for  pid=13185 comm="privoxy" dest=8080
scontext=system_u:system_r:privoxy_t:s0

--
Joel

try:
semanage port -l | grep 8080

you should see something like:
http_cache_port_t              tcp      3128, 8080, 8118

if you want to allow privoxy_t access to this port as well, you could
attempt this:
semanage port -m -p tcp -t privoxy_t 8080

notice the -m instead of the -a (you're modifying an already defined
port, rather than adding a new one)

see if that helps
No go.  The denial message has changed slightly, though:

type=AVC msg=audit(1145112509.543:104): avc:  denied  { name_connect }
for  pid=4137 comm="privoxy" dest=8080
scontext=system_u:system_r:privoxy_t:s0
tcontext=system_u:object_r:privoxy_t:s0 tclass=tcp_socket

okay, it looks like we're in need of a number of policy changes to
permit privoxy_t to do its job.

first set permissive mode

setenforce 0

then...
are you running auditd?
audit2allow -i /var/log/audit/audit.log (if you are)
audit2allow -i /var/log/messages (if you aren't)

it will tell you what you have to permit privoxy_t to do before it can
bind to port 8080. I have a feeling it is going to need a few changes to
the reference policy

much of this may be best posted to fedora-selinux-list where the SELinux
bigwigs hang out. They are far more expert on this than I

Thanks for your help. I've posted this question to the selinux list along with the output from the audit2allow command.

--
Joel


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux