Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 159966 - Squid fails to start listening on port 80
Summary: Squid fails to start listening on port 80
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted
Version: 4.0
Hardware: x86_64
OS: Linux
Target Milestone: ---
: ---
Assignee: Daniel Walsh
QA Contact:
Depends On:
Blocks: 156322
TreeView+ depends on / blocked
Reported: 2005-06-09 19:33 UTC by Matthew Booth
Modified: 2007-11-30 22:07 UTC (History)
0 users

Fixed In Version: RHBA-2005-645
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2005-10-05 16:34:50 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2005:645 qe-ready SHIPPED_LIVE SELinux policy bug fix update 2005-10-05 04:00:00 UTC

Description Matthew Booth 2005-06-09 19:33:55 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.7.8) Gecko/20050512 Red Hat/1.0.4-1.4.1 Firefox/1.0.4

Description of problem:
I have squid configured as an http accellerator listening on port 80. When selinux is enabled it does not start. The error message in cache.log is:

2005/06/09 20:22:41| commBind: Cannot bind socket FD 13 to x.x.x.x:80: (13) Permission denied
2005/06/09 20:22:41| commBind: Cannot bind socket FD 13 to x.x.x.y:80: (13) Permission denied

When selinux is in permissive mode it starts correctly. The only logging in syslog is:

Jun  9 11:34:06 hydra1 kernel: audit(1118313246.485:0): avc:  denied  { getattr
} for  pid=3187 comm=squid path=/boot dev=sda1 ino=2 scontext=root:system_r:squid_t tcontext=system_u:object_r:boot_t tclass=dir

This is displayed once per child process. It does not appear to be the cause of the failure.

Russell Coker said:
I guess that you changed the port number as well as the IP address.
squid_t is permitted to bind to ports of type http_cache_port_t, that
means the following ports (from the net_contexts file):
portcon tcp 3128  system_u:object_r:http_cache_port_t
portcon tcp 8080  system_u:object_r:http_cache_port_t
portcon udp 3130  system_u:object_r:http_cache_port_t
portcon tcp 8118  system_u:object_r:http_cache_port_t

We can solve that with the following policy.

bool squid_use_http_port false;
if (squid_use_http_port) {
allow squid_t http_port_t:tcp_socket name_bind;

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-2.88 squid-2.5.STABLE6-3.4E.5

How reproducible:

Steps to Reproduce:
1. Install Squid
2. Enable the targetted policy
3. Change http_port to 80 in /etc/squid/squid.conf
4. service squid start

Actual Results:  Squid fails to bind to its network ports

Expected Results:  Squid starts

Additional info:

Comment 1 Daniel Walsh 2005-07-21 18:08:24 UTC
Fixed in selinux-policy-targeted-1.17.30-2.100

Comment 2 Red Hat Bugzilla 2005-10-05 16:34:50 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.