Daniel J Walsh wrote:
Joel Gomberg wrote:
I originally posted this message to the fedora users list. It was
suggested that I might have better luck here.
SELinux is blocking privoxy's access to my public library's online
catalog:
http://oaklandlibrary.org:8080/ipac20/ipac.jsp?profile=#focus
SELinux denies access. With setenforce=0, access is permitted, so I'm
sure it's a SELinux issue. After perusing the SELinux FAQ, I issued
this command:
semanage port -a -p tcp -t http_port_t 8080.
The response was that port 8080 was already defined.
The denial message is:
type=AVC msg=audit(1145058006.474:1026): avc: denied { name_connect }
for pid=13185 comm="privoxy" dest=8080
scontext=system_u:system_r:privoxy_t:s0
I received a suggestion to issue this command:
semanage port -m -p tcp -t privoxy_t 8080
This changed the denial message slightly:
type=AVC msg=audit(1145112509.543:104): avc: denied { name_connect }
for pid=4137 comm="privoxy" dest=8080
scontext=system_u:system_r:privoxy_t:s0
tcontext=system_u:object_r:privoxy_t:s0 tclass=tcp_socket
I then issued these commands:
[root@alcibiades ~]# setenforce 0
[root@alcibiades ~]# audit2allow -i /var/log/audit/audit.log
and received this output [relevant to Privoxy]:
allow privoxy_t http_cache_port_t:tcp_socket name_connect;
allow privoxy_t self:tcp_socket name_connect;
I don't know how to proceed from here.
Try
audit2allow -M privoxy -i /var/log/audit/audit.log
semodule -i privoxy.pp
This will greate a modular policy that will add these rules to your
machine.
I will change policy to allow privoxy to connect to port 8080
Apparently, it was a bit more complex than that:
audit2allow -M privoxy -i /var/log/audit/audit.log
Generating type enforcment file: privoxy.te
Compiling policy
checkmodule -M -m -o privoxy.mod privoxy.te
semodule_package -o privoxy.pp -m privoxy.mod
******************** IMPORTANT ***********************
In order to load this newly created policy package into the kernel,
you are required to execute
semodule -i privoxy.pp
[root@alcibiades ~]# semodule -i privoxy.pp
The denial messages were different, but still no cigar:
type=AVC msg=audit(1145284191.527:141): avc: denied { recv_msg } for
saddr=209.233.191.3 src=8080 daddr=192.168.0.5 dest=37465 netif=eth1
scontext=system_u:system_r:privoxy_t:s0
tcontext=system_u:object_r:privoxy_t:s0 tclass=tcp_socket
I then repeated the audit2allow and semodule commands and this time it
works.
HOWEVER, after I posted the initial message, I realized that all I had
to do was bypass Privoxy for the library's domain in my browser
settings. So perhaps it isn't really necessary to mess with the policy.
--
Joel
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
