Re: SELinux blocks my library catalog

[Joel Gomberg <obligor11-fedora@xxxxxxxxx>]

Stuart Sears wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Joel Gomberg wrote:
> > Stuart Sears wrote:
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > Joel Gomberg wrote:
> > > > Joel Gomberg wrote:
> > > > > My library uses port 8080 for accessing its catalog:
> > > > >
> > > > > http://oaklandlibrary.org:8080/ipac20/ipac.jsp?profile=#focus
> > > > >
> > > > > SELinux denies access.  With setenforce=0, access is permitted, so I'm
> > > > > sure it's a SELinux issue.  After perusing the SELinux FAQ, I issued
> > > > > this command:
> > > > >
> > > > > semanage port -a -p tcp -t http_port_t 8080.
> > > > >
> > > > > The response was that port 8080 was already defined.
> > > > >
> > > > > Suggestions are welcome.
> > > > I forgot to include the relevant audit log entry:
> > > >
> > > > type=AVC msg=audit(1145058006.474:1026): avc:  denied  { name_connect }
> > > > for  pid=13185 comm="privoxy" dest=8080
> > > > scontext=system_u:system_r:privoxy_t:s0
> > > >
> > > > --
> > > > Joel
> > > try:
> > > semanage port -l | grep 8080
> > >
> > > you should see something like:
> > > http_cache_port_t              tcp      3128, 8080, 8118
> > >
> > > if you want to allow privoxy_t access to this port as well, you could
> > > attempt this:
> > > semanage port -m -p tcp -t privoxy_t 8080
> > >
> > > notice the -m instead of the -a (you're modifying an already defined
> > > port, rather than adding a new one)
> > >
> > > see if that helps
> > No go.  The denial message has changed slightly, though:
> >
> > type=AVC msg=audit(1145112509.543:104): avc:  denied  { name_connect }
> > for  pid=4137 comm="privoxy" dest=8080
> > scontext=system_u:system_r:privoxy_t:s0
> > tcontext=system_u:object_r:privoxy_t:s0 tclass=tcp_socket
>
> okay, it looks like we're in need of a number of policy changes to
> permit privoxy_t to do its job.
>
> first set permissive mode
>
> setenforce 0
>
> then...
> are you running auditd?
> audit2allow -i /var/log/audit/audit.log (if you are)
> audit2allow -i /var/log/messages (if you aren't)
>
> it will tell you what you have to permit privoxy_t to do before it can
> bind to port 8080. I have a feeling it is going to need a few changes to
> the reference policy
>
> much of this may be best posted to fedora-selinux-list where the SELinux
> bigwigs hang out. They are far more expert on this than I

Thanks for your help.  I've posted this question to the selinux list 
along with the output from the audit2allow command.

--
Joel