-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gene Heskett wrote: > Greetings; > > Verizon makes life a bitch by violating common carrier rules when the block > port 80 to keep their customers from running a web server. But port 85 > appears to be an unassigned port, and I have successfully used it to test when > selinux, privoxy and squid were not running. Now they are, and an attempted > connect to http://gene.homelinux.net:85 now gets a 503 cuz selinux denies it. > > As saved from setroubleshooter: > ================= > Summary: > > SELinux is preventing the privoxy(/usr/sbin/privoxy) (privoxy_t) from connecting > to port 85. > > Detailed Description: > > SELinux has denied the privoxy(/usr/sbin/privoxy) from connecting to a network > port 85 which does not have an SELinux type associated with it. If > privoxy(/usr/sbin/privoxy) is supposed to be allowed to connect on this port, > you can use the semanage command to add this port to a port type that privoxy_t > can connect to. semanage port -L will list all port types. Please file a bug > report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the > selinux-policy package. If privoxy(/usr/sbin/privoxy) is not supposed to bind to > this port, this could signal a intrusion attempt. > > Allowing Access: > > If you want to allow privoxy(/usr/sbin/privoxy) to connect to this port semanage > port -a -t PORT_TYPE -p PROTOCOL 85 Where PORT_TYPE is a type that privoxy_t can > connect. > > Additional Information: > > Source Context system_u:system_r:privoxy_t:s0 > Target Context system_u:object_r:reserved_port_t:s0 > Target Objects None [ tcp_socket ] > Source privoxy(/usr/sbin/privoxy) > Port 85 > Host coyote.coyote.den > Source RPM Packages > Target RPM Packages > Policy RPM selinux-policy-3.0.8-76.fc8 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name connect_ports > Host Name coyote.coyote.den > Platform Linux coyote.coyote.den 2.6.24-rc8 #2 SMP Wed Jan > 16 22:47:57 EST 2008 i686 athlon > Alert Count 4 > First Seen Tue 22 Jan 2008 10:10:07 AM EST > Last Seen Tue 22 Jan 2008 10:11:16 AM EST > Local ID 748d1fcf-28fe-4b1b-87c3-40a0b272393d > Line Numbers > > Raw Audit Messages > > host=coyote.coyote.den type=AVC msg=audit(1201014676.609:434): avc: denied { name_connect } for pid=14357 > comm="privoxy" dest=85 scontext=system_u:system_r:privoxy_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 > tclass=tcp_socket > > host=coyote.coyote.den type=SYSCALL msg=audit(1201014676.609:434): arch=40000003 syscall=102 success=no exit=-13 a0=3 > a1=b67366e0 a2=b6736798 a3=0 items=0 ppid=1 pid=14357 auid=4294967295 uid=73 gid=73 euid=73 suid=73 fsuid=73 egid=73 > sgid=73 fsgid=73 tty=(none) comm="privoxy" exe="/usr/sbin/privoxy" subj=system_u:system_r:privoxy_t:s0 key=(null) > > ================== > What can I do to allow this? The above isn't precise enough for me to go stumbling around. > > 2nd, do these mailing lists echo each other? If so, sorry about hitting both. > The best way to handle this is to define port 85 as an http_port_t, this way all domains that can use http_port_t will gain access. semanage port -a -t http_port_t -p tcp 85 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkeYrf8ACgkQrlYvE4MpobNfywCeKO39DQKjtgoLPgyGrp2LkRk4 1u0AoJxex/fafIhBW/vuKSwrCNmHQv5R =W6Wm -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
