Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at
Bug 1277312 - Define types for ports 9526 and 9527 (used by openQA)
Summary: Define types for ports 9526 and 9527 (used by openQA)
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 23
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2015-11-03 01:22 UTC by Adam Williamson
Modified: 2016-02-17 03:50 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.13.1-158.5.fc23 selinux-policy-3.13.1-158.6.fc23
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2016-02-17 03:50:22 UTC
Type: Bug

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1304882 0 medium CLOSED Review Request: openqa - OS-level automated test framework and web UI 2022-05-16 11:32:56 UTC

Internal Links: 1304882

Description Adam Williamson 2015-11-03 01:22:41 UTC
So I'm working on packaging openQA for Fedora ATM. openQA has its own daemon which runs on ports 9526 and 9527 (9527 for WebSockets) and it expects you to set up a regular web server (Apache or nginx) to reverse proxy it. (This style seems somewhat common for non-PHP webapps). Of course, that means the web server has to be allowed to connect to the daemon, something which is disallowed by default.

It seems that policy modules cannot apply types to ports, so I need the distro policy to define types for these ports, if possible. Thanks! We'd also want a policy allowing web servers to connect to those ports, but I could ship that bit of policy in the openQA package if that would make more sense.

If you want to see where these ports are specified:

openQA is based on the Mojolicious framework, which uses the MOJO_LISTEN environment variable to decide what port to listen on; here, openQA is setting that variable to 9526 (openqa) or 9527 (openqa-websockets) so long as the admin hasn't overridden it when launching those scripts.

Comment 1 Adam Williamson 2015-12-15 19:37:02 UTC
ping? folks?

Comment 2 Adam Williamson 2016-02-04 22:00:29 UTC

Comment 3 Daniel Walsh 2016-02-08 20:03:13 UTC
Lukas can you give this bug a look?

Comment 4 Lukas Vrabec 2016-02-09 09:13:57 UTC
Hi Adam,

I can label for your these ports and then you can create own custom policy where you allow this rules for your needs. 

Do you agree? 

Names for ports 'openqa' and 'openqa-websockets' are fine to me.

Comment 5 Adam Williamson 2016-02-09 16:29:56 UTC
yep, I plan to write a policy for the package, but the ports cannot be labelled in an external policy package, they have to be done in selinux-policy :) those names are fine, thanks!

Comment 6 Fedora Update System 2016-02-11 14:21:21 UTC
selinux-policy-3.13.1-158.6.fc23 has been submitted as an update to Fedora 23.

Comment 7 Fedora Update System 2016-02-14 16:23:19 UTC
selinux-policy-3.13.1-158.6.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See for
instructions on how to install test updates.
You can provide feedback for this update here:

Comment 8 Fedora Update System 2016-02-17 03:49:49 UTC
selinux-policy-3.13.1-158.6.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.