SELinux blocks my library catalog
Joel Gomberg
obligor11-fedora at yahoo.com
Sat Apr 15 14:57:00 UTC 2006
Stuart Sears wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Joel Gomberg wrote:
>> Joel Gomberg wrote:
>>> My library uses port 8080 for accessing its catalog:
>>>
>>> http://oaklandlibrary.org:8080/ipac20/ipac.jsp?profile=#focus
>>>
>>> SELinux denies access. With setenforce=0, access is permitted, so I'm
>>> sure it's a SELinux issue. After perusing the SELinux FAQ, I issued
>>> this command:
>>>
>>> semanage port -a -p tcp -t http_port_t 8080.
>>>
>>> The response was that port 8080 was already defined.
>>>
>>> Suggestions are welcome.
>> I forgot to include the relevant audit log entry:
>>
>> type=AVC msg=audit(1145058006.474:1026): avc: denied { name_connect }
>> for pid=13185 comm="privoxy" dest=8080
>> scontext=system_u:system_r:privoxy_t:s0
>>
>> --
>> Joel
>>
> try:
> semanage port -l | grep 8080
>
> you should see something like:
> http_cache_port_t tcp 3128, 8080, 8118
>
> if you want to allow privoxy_t access to this port as well, you could
> attempt this:
> semanage port -m -p tcp -t privoxy_t 8080
>
> notice the -m instead of the -a (you're modifying an already defined
> port, rather than adding a new one)
>
> see if that helps
No go. The denial message has changed slightly, though:
type=AVC msg=audit(1145112509.543:104): avc: denied { name_connect }
for pid=4137 comm="privoxy" dest=8080
scontext=system_u:system_r:privoxy_t:s0
tcontext=system_u:object_r:privoxy_t:s0 tclass=tcp_socket
The "tclass=tcp_socket" wasn't there before.
The semanage change did take effect:
semanage port -l | grep 8080
http_cache_port_t tcp 3128, 8080, 8118
privoxy_t tcp 8080
--
Joel
More information about the users
mailing list