Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 159966

Summary: Squid fails to start listening on port 80
Product: Red Hat Enterprise Linux 4 Reporter: Matthew Booth <mbooth>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0   
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Fixed In Version: RHBA-2005-645 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-10-05 16:34:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 156322    

Description Matthew Booth 2005-06-09 19:33:55 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.7.8) Gecko/20050512 Red Hat/1.0.4-1.4.1 Firefox/1.0.4

Description of problem:
I have squid configured as an http accellerator listening on port 80. When selinux is enabled it does not start. The error message in cache.log is:

2005/06/09 20:22:41| commBind: Cannot bind socket FD 13 to x.x.x.x:80: (13) Permission denied
2005/06/09 20:22:41| commBind: Cannot bind socket FD 13 to x.x.x.y:80: (13) Permission denied

When selinux is in permissive mode it starts correctly. The only logging in syslog is:

Jun  9 11:34:06 hydra1 kernel: audit(1118313246.485:0): avc:  denied  { getattr
} for  pid=3187 comm=squid path=/boot dev=sda1 ino=2 scontext=root:system_r:squid_t tcontext=system_u:object_r:boot_t tclass=dir

This is displayed once per child process. It does not appear to be the cause of the failure.

Russell Coker said:
I guess that you changed the port number as well as the IP address.
squid_t is permitted to bind to ports of type http_cache_port_t, that
means the following ports (from the net_contexts file):
portcon tcp 3128  system_u:object_r:http_cache_port_t
portcon tcp 8080  system_u:object_r:http_cache_port_t
portcon udp 3130  system_u:object_r:http_cache_port_t
portcon tcp 8118  system_u:object_r:http_cache_port_t

We can solve that with the following policy.

bool squid_use_http_port false;
if (squid_use_http_port) {
allow squid_t http_port_t:tcp_socket name_bind;

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-2.88 squid-2.5.STABLE6-3.4E.5

How reproducible:

Steps to Reproduce:
1. Install Squid
2. Enable the targetted policy
3. Change http_port to 80 in /etc/squid/squid.conf
4. service squid start

Actual Results:  Squid fails to bind to its network ports

Expected Results:  Squid starts

Additional info:

Comment 1 Daniel Walsh 2005-07-21 18:08:24 UTC
Fixed in selinux-policy-targeted-1.17.30-2.100

Comment 2 Red Hat Bugzilla 2005-10-05 16:34:50 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.