selinux.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* httpd blocked from http_cache_port_t
@ 2020-08-16  0:06 Robert Nichols
  0 siblings, 0 replies; only message in thread
From: Robert Nichols @ 2020-08-16  0:06 UTC (permalink / raw)
  To: selinux

Would someone please explain the reason that httpd should not by default be allowed to connect to http_cache_port_t. What would be the downside to my allowing this? FWIW, httpd seems to work just fine with that connection blocked (the content does get sent), but it causes a flood of SELinux alerts.

Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:http_cache_port_t:s0
Target Objects                 [ tcp_socket ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          8080
Host                          omega-3g.local
Source RPM Packages           httpd-2.2.15-69.el6.centos.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.7.19-312.el6.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     omega-3g.local
Platform                      Linux omega-3g.local 2.6.32-754.31.1.el6.x86_64 #1
                               SMP Wed Jul 15 16:02:21 UTC 2020 x86_64 x86_64
Alert Count                   33
First Seen                    Sat 15 Aug 2020 06:48:57 PM CDT
Last Seen                     Sat 15 Aug 2020 06:49:29 PM CDT
Local ID                      9cff892f-b1e6-4823-ae34-e1a3cf532f2f

Raw Audit Messages
type=AVC msg=audit(1597535369.505:23573): avc:  denied  { name_connect } for  pid=3596 comm="httpd" dest=8080 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket


type=SYSCALL msg=audit(1597535369.505:23573): arch=x86_64 syscall=connect success=no exit=EACCES a0=a a1=56246d05d160 a2=10 a3=4 items=0 ppid=1 pid=3596 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: httpd,httpd_t,http_cache_port_t,tcp_socket,name_connect

-- 
Bob Nichols         RNichols42@comcast.net

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2020-08-16  0:10 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-16  0:06 httpd blocked from http_cache_port_t Robert Nichols

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).