Joe Orton wrote:
I wonder whether this boolean should really just be "on" by default.
----- Forwarded message from bugzilla@xxxxxxxxxx -----
From: bugzilla@xxxxxxxxxx
To: jorton@xxxxxxxxxx
Date: Wed, 3 Aug 2005 08:02:27 -0400
Subject: [Bug 164992] New: Mod_proxy does not work with SElinux default policy
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=164992
Summary: Mod_proxy does not work with SElinux default policy
Product: Fedora Core
Version: fc4
Platform: i386
OS/Version: Linux
Status: NEW
Severity: low
Priority: normal
Component: httpd
AssignedTo: jorton@xxxxxxxxxx
ReportedBy: trash_alias@xxxxxxxx
Estimated Hours: 0.0
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050720 Fedora/1.0.6-1.1.fc4 Firefox/1.0.6
Description of problem:
Bad: mod_proxy fail if selinux is enabled
[Wed Aug 03 13:52:12 2005] [debug] proxy_http.c(67): proxy: HTTP: canonicalising URL //webmail.XXX.be/exchange/
[Wed Aug 03 13:52:12 2005] [debug] mod_proxy.c(419): Trying to run scheme_handler
[Wed Aug 03 13:52:12 2005] [debug] proxy_http.c(1062): proxy: HTTP: serving URL https://webmail.XXX.be/exchange/
[Wed Aug 03 13:52:12 2005] [debug] proxy_http.c(186): proxy: HTTP connecting https://webmail.XXX.be/exchange/ to webmail.XXX.be:443
[Wed Aug 03 13:52:12 2005] [debug] proxy_util.c(1139): proxy: HTTP: fam 2 socket created to
connect to webmail.XXX.be
Bad: [Wed Aug 03 13:52:12 2005] [error] (13)Permission denied: proxy: HTTP: attempt to connect to 123.123.123.123:443 (webmail.XXX.be) failed
Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.25.3-9 httpd-2.0.54-10.1
How reproducible:
Always
Steps to Reproduce:
1.setenforce 1
2.access your http server configured ro reverse proxying
3.fail with message: BAD gateway
4. setenforce 0
5. it work.
Expected Results: I would expect the default policy to allow proxying and Message is not explicit and I had to search a long time to understand....
Additional info:
We could allow apache to connect to apache ports by default, if that
would satisfy this.
--
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list