Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 121068 - Connection refused attempt to contact http server
Summary: Connection refused attempt to contact http server
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: policy
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Colin Walters
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: FC2Blocker
TreeView+ depends on / blocked
 
Reported: 2004-04-16 19:14 UTC by Gene Czarcinski
Modified: 2007-11-30 22:10 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2004-04-20 07:52:37 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Gene Czarcinski 2004-04-16 19:14:02 UTC 
Description of problem:

I started httpd (configured as distributed).  I then attempted to
contact it from another system.

start httpd when enforcing=0 ... works

start httpd when enforcing=1 ... connection refused.


policy=1.11.2-8

Here are the messages from /var/log/messages:

Apr 16 15:02:24 chaos httpd: httpd shutdown succeeded
Apr 16 15:02:31 chaos kernel: audit(1082142151.511:0): avc:  granted 
{ setenforce } for  pid=25782 exe=/usr/bin/setenforce
scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:security_t
tclass=security
Apr 16 15:02:36 chaos httpd: httpd startup succeeded
Apr 16 15:02:36 chaos kernel: audit(1082142156.772:0): avc:  denied  {
write } for  pid=25796 exe=/usr/sbin/httpd name=jk2.shm dev=hda7
ino=1056042 scontext=root:system_r:httpd_t
tcontext=root:object_r:httpd_log_t tclass=file
Apr 16 15:02:36 chaos kernel: audit(1082142156.996:0): avc:  denied  {
write } for  pid=25796 exe=/usr/sbin/httpd name=.index dev=hda7
ino=868025 scontext=root:system_r:httpd_t tcontext=root:object_r:usr_t
tclass=file
 
 
After applying policy=1.11.2-8
 
Apr 16 15:13:19 chaos kernel: audit(1082142799.863:0): avc:  granted 
{ setenforce } for  pid=26215 exe=/usr/bin/setenforce
scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:security_t
tclass=security
Apr 16 15:13:22 chaos kernel: audit(1082142802.703:0): avc:  granted 
{ setenforce } for  pid=26217 exe=/usr/bin/setenforce
scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:security_t
tclass=security
Apr 16 15:13:36 chaos httpd: httpd startup succeeded
Apr 16 15:13:36 chaos kernel: audit(1082142816.393:0): avc:  denied  {
write } for  pid=26233 exe=/usr/sbin/httpd name=jk2.shm dev=hda7
ino=1056042 scontext=root:system_r:httpd_t
tcontext=root:object_r:httpd_log_t tclass=file
Apr 16 15:13:36 chaos kernel: audit(1082142816.622:0): avc:  denied  {
write } for  pid=26233 exe=/usr/sbin/httpd name=.index dev=hda7
ino=868025 scontext=root:system_r:httpd_t tcontext=root:object_r:usr_t
tclass=file
Comment 1 Colin Walters 2004-04-16 22:49:46 UTC 
I can reproduce this.  When I do an enableaudit policy build, I can
see denials like:

audit(1082155901.061:0): avc:  denied  { read write } for  pid=4124
exe=/usr/sbin/httpd path=/dev/pts/9 dev= ino=11
scontext=root:system_r:httpd_t tcontext=root:object_r:sysadm_devpts_t
tclass=chr_file

If I allow this, Apache starts up correctly.  Investigating more...
Comment 2 Colin Walters 2004-04-16 23:26:02 UTC 
Hm, it appears to be getting an error deep in APR.  I wonder if this
has something to do with the kernel closing fds 0-2 again.
Comment 3 Colin Walters 2004-04-19 15:12:45 UTC 
Now I can't reproduce this anymore.  I couldn't on my laptop in the
first place, and after a yum upgrade and a reboot on my desktop, the
issue is gone there as well.   The only thing I can think of is that
maybe some of the recent networking changes in the policy require a
reboot to have the sockets correctly labeled.

Gene, can you try upgrading to the latest rawhide and/or rebooting
your system?  Can you reproduce this 100% still?
Comment 4 Gene Czarcinski 2004-04-20 07:52:37 UTC 
Still getting some avc: denied messages but I can now start and get
connected when enforcing=1.  Whetever the problem was, it is now fixed.

policy=1.11.2-9

closing
Note You need to log in before you can comment on or make changes to this bug.