httpd fails to start with latest policy
Stephen Smalley
sds at tycho.nsa.gov
Fri Jun 17 17:26:08 UTC 2005
On Fri, 2005-06-17 at 10:14 -0700, Bob Kashani wrote:
> httpd fails to start with the latest FC3 policy.
>
> selinux-policy-targeted-1.17.30-3.9
>
> Here is the AVC message:
>
> Jun 17 10:04:48 sorcerer kernel: audit(1119027888.944:0): avc: denied
> { name_bind } for pid=3265 exe=/usr/sbin/httpd src=2121
> scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:port_t
> tclass=tcp_socket
> Jun 17 10:04:48 sorcerer httpd: (13)Permission denied: make_sock: could
> not bind to address [::]:2121
> Jun 17 10:04:48 sorcerer httpd: no listening sockets available, shutting
> down
> Jun 17 10:04:48 sorcerer httpd: Unable to open logs
> Jun 17 10:04:48 sorcerer httpd: httpd startup failed
>
> I normally use port 80 and 2121. How do I fix this?
As a workaround, you can add a definition for 2121
to /etc/selinux/targeted/src/policy/net_contexts, likewise mapping it to
http_port_t, e.g.
portcon tcp 2121 system_u:object_r:http_port_t
Naturally, that won't survive updates. There isn't presently a clean
way to do local customization of network-related contexts, but that is
planned (but isn't likely to be included until FC5).
Alternative is to let httpd bind to any non-reserved port at all, i.e.
allow httpd_t port_t:tcp_socket name_bind;
in /etc/selinux/targeted/src/policy/domains/misc/local.te (or any name
not used by the policy package), which would survive updates.
--
Stephen Smalley
National Security Agency
More information about the selinux
mailing list