On Mon, 2012-09-24 at 03:07 +0100, Ahmed Sghaier wrote:
> selinux log :
>
> # grep '1346290066.999:85' /var/log/audit/audit.log
> type=AVC msg=audit(1346290066.999:85): avc: denied { name_connect }
> for pid=2021 comm="httpd" dest=1664
> scontext=unconfined_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
> type=SYSCALL msg=audit(1346290066.999:85): arch=c000003e syscall=42
> success=no exit=-13 a0=b a1=7f65a9e33b18 a2=10 a3=40 items=0 ppid=2016
> pid=2021 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48
> fsgid=48 tty=(none) ses=3 comm="httpd" exe="/usr/sbin/httpd"
> subj=unconfined_u:system_r:httpd_t:s0 key=(null)
>
>
> Method 1 :
> # setsebool -P allow_ypbind 1
>
>
> Method 2 :
> # setsebool -P httpd_can_network_connect 1
>
>
> Method 3 :
> # grep '1346290066.999:85' /var/log/audit/audit.log | audit2allow -M
> soap
> # semodule -i soap.pp
Here is a little cheat that can be a optimal solution in many cases
httpd is allowed to connect to dns ports for nsswitch support
you can label tcp:1664 a dns_port_t which will allow http to connect to
it:
semanage port -a -t dns_port_t -p tcp 1664
that way you dont need to toggle any booleans or extend httpd policy
not the prettiest solution but it works and it is efficient
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
