Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 121068

Summary: Connection refused attempt to contact http server
Product: [Fedora] Fedora Reporter: Gene Czarcinski <gczarcinski>
Component: policyAssignee: Colin Walters <walters>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: pgraner
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-04-20 07:52:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 114961    

Description Gene Czarcinski 2004-04-16 19:14:02 UTC 
Description of problem:

I started httpd (configured as distributed).  I then attempted to
contact it from another system.

start httpd when enforcing=0 ... works

start httpd when enforcing=1 ... connection refused.


policy=1.11.2-8

Here are the messages from /var/log/messages:

Apr 16 15:02:24 chaos httpd: httpd shutdown succeeded
Apr 16 15:02:31 chaos kernel: audit(1082142151.511:0): avc:  granted 
{ setenforce } for  pid=25782 exe=/usr/bin/setenforce
scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:security_t
tclass=security
Apr 16 15:02:36 chaos httpd: httpd startup succeeded
Apr 16 15:02:36 chaos kernel: audit(1082142156.772:0): avc:  denied  {
write } for  pid=25796 exe=/usr/sbin/httpd name=jk2.shm dev=hda7
ino=1056042 scontext=root:system_r:httpd_t
tcontext=root:object_r:httpd_log_t tclass=file
Apr 16 15:02:36 chaos kernel: audit(1082142156.996:0): avc:  denied  {
write } for  pid=25796 exe=/usr/sbin/httpd name=.index dev=hda7
ino=868025 scontext=root:system_r:httpd_t tcontext=root:object_r:usr_t
tclass=file
 
 
After applying policy=1.11.2-8
 
Apr 16 15:13:19 chaos kernel: audit(1082142799.863:0): avc:  granted 
{ setenforce } for  pid=26215 exe=/usr/bin/setenforce
scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:security_t
tclass=security
Apr 16 15:13:22 chaos kernel: audit(1082142802.703:0): avc:  granted 
{ setenforce } for  pid=26217 exe=/usr/bin/setenforce
scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:security_t
tclass=security
Apr 16 15:13:36 chaos httpd: httpd startup succeeded
Apr 16 15:13:36 chaos kernel: audit(1082142816.393:0): avc:  denied  {
write } for  pid=26233 exe=/usr/sbin/httpd name=jk2.shm dev=hda7
ino=1056042 scontext=root:system_r:httpd_t
tcontext=root:object_r:httpd_log_t tclass=file
Apr 16 15:13:36 chaos kernel: audit(1082142816.622:0): avc:  denied  {
write } for  pid=26233 exe=/usr/sbin/httpd name=.index dev=hda7
ino=868025 scontext=root:system_r:httpd_t tcontext=root:object_r:usr_t
tclass=file
Comment 1 Colin Walters 2004-04-16 22:49:46 UTC 
I can reproduce this.  When I do an enableaudit policy build, I can
see denials like:

audit(1082155901.061:0): avc:  denied  { read write } for  pid=4124
exe=/usr/sbin/httpd path=/dev/pts/9 dev= ino=11
scontext=root:system_r:httpd_t tcontext=root:object_r:sysadm_devpts_t
tclass=chr_file

If I allow this, Apache starts up correctly.  Investigating more...
Comment 2 Colin Walters 2004-04-16 23:26:02 UTC 
Hm, it appears to be getting an error deep in APR.  I wonder if this
has something to do with the kernel closing fds 0-2 again.
Comment 3 Colin Walters 2004-04-19 15:12:45 UTC 
Now I can't reproduce this anymore.  I couldn't on my laptop in the
first place, and after a yum upgrade and a reboot on my desktop, the
issue is gone there as well.   The only thing I can think of is that
maybe some of the recent networking changes in the policy require a
reboot to have the sockets correctly labeled.

Gene, can you try upgrading to the latest rawhide and/or rebooting
your system?  Can you reproduce this 100% still?
Comment 4 Gene Czarcinski 2004-04-20 07:52:37 UTC 
Still getting some avc: denied messages but I can now start and get
connected when enforcing=1.  Whetever the problem was, it is now fixed.

policy=1.11.2-9

closing