Re: httpd fails to start with latest policy
On Fri, 2005-06-17 at 10:14 -0700, Bob Kashani wrote:
httpd fails to start with the latest FC3 policy.
selinux-policy-targeted-1.17.30-3.9
Here is the AVC message:
Jun 17 10:04:48 sorcerer kernel: audit(1119027888.944:0): avc: denied
{ name_bind } for pid=3265 exe=/usr/sbin/httpd src=2121
scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:port_t
tclass=tcp_socket
Jun 17 10:04:48 sorcerer httpd: (13)Permission denied: make_sock: could
not bind to address [::]:2121
Jun 17 10:04:48 sorcerer httpd: no listening sockets available, shutting
down
Jun 17 10:04:48 sorcerer httpd: Unable to open logs
Jun 17 10:04:48 sorcerer httpd: httpd startup failed
I normally use port 80 and 2121. How do I fix this?
As a workaround, you can add a definition for 2121
to /etc/selinux/targeted/src/policy/net_contexts, likewise mapping it to
http_port_t, e.g.
portcon tcp 2121 system_u:object_r:http_port_t
Naturally, that won't survive updates. There isn't presently a clean
way to do local customization of network-related contexts, but that is
planned (but isn't likely to be included until FC5).
Alternative is to let httpd bind to any non-reserved port at all, i.e.
allow httpd_t port_t:tcp_socket name_bind;
in /etc/selinux/targeted/src/policy/domains/misc/local.te (or any name
not used by the policy package), which would survive updates.
--
Stephen Smalley
National Security Agency