Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 160890 - Squid fails to open connection on port 21 (FTP) in SELinux targeted mode
Summary: Squid fails to open connection on port 21 (FTP) in SELinux targeted mode
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 4
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2005-06-18 04:20 UTC by Bojan Smojver
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2005-06-29 00:12:42 UTC

Attachments (Terms of Use)

Description Bojan Smojver 2005-06-18 04:20:08 UTC
Description of problem:
Squid can't open connections to port 21 (and some other ports). This prevents
browsing of FTP sites.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.23.18-12 (i.e. FC4 updates/testing)

How reproducible:

Steps to Reproduce:
1. Run squid under targeted policy.
2. Attempt to open FTP site.
Actual results:
Connection refused.

Expected results:
Should work and it does when SELinux is disabled.

Additional info:
Jun 18 14:09:30 beauty kernel: audit(1119067770.693:65): avc:  denied  { name_co
nnect } for  pid=2255 comm="squid" dest=21 scontext=system_u:system_r:squid_t tc
ontext=system_u:object_r:ftp_port_t tclass=tcp_socket

Comment 1 Daniel Walsh 2005-06-18 10:23:06 UTC
If you set the boolean squid_connect_any

It should work, although ftp_port_t should probably be added to squid for default.

Comment 2 Bojan Smojver 2005-06-18 12:41:40 UTC
OK, I'll try that and report back. It would make sense to make it a default
though, just like you said.

I'm also having trouble with dovecot since moving to FC4, as reported in 158583.
The dovecot_disable_trans boolean wouldn't have anything to do with tcp ports,

Comment 3 Bojan Smojver 2005-06-29 00:12:42 UTC
This appears to be fixed in selinux-policy-targeted-1.23.18-17. One still does
need to enable squid_connect_any if passive FTP is being used, but that seems
OK, given that those ports cannot be predicted.

Note You need to log in before you can comment on or make changes to this bug.