pki-bot
commented
3 years ago Comment from nkinder (@nkinder) at 2012-06-26 17:00:20
Here is a snippet from the pki-tps-install.log that shows where we would typically label the ports:
[2012-06-21 10:50:44] [debug] configuring SELinux ... [2012-06-21 10:50:45] [error] Failed setting selinux context pki_tps_port_t for 7889. Port already defined otherwise. [2012-06-21 10:50:45] [error] Failed setting selinux context pki_tps_port_t for 7890. Port already defined otherwise. [2012-06-21 10:50:45] [error] Failed setting selinux context pki_tps_port_t for 7888. Port already defined otherwise. [2012-06-21 10:50:45] [debug] Selinux contexts already set. No need to run semanage.
This issue was migrated from Pagure Issue #208. Originally filed by nkinder (@nkinder) on 2012-06-25 17:59:40:
While creating a new TPS instance on a F17 system, I encountered a SELinux AVC that was caused by one of the TPS ports not being properly labelled. I should mention that I had to work around the issue described in ticket 207 before getting to the SELinux issue.
After I created the TPS systemd files, my TPS startup failed due to an AVC. It wcryptomilk't allowing httpd.worker (pki_tps_t context) to bind to port 7890 (unreserved_port_t context). This port should have been labelled at pki_tps_port_t at install time, but semanage shows that only ports 7888-7889 are labelled as pki_tps_port_t. This covers the "port" (7888) and "secure port" (7889), but not the "non client-auth secure port" (7890). The pki-tps-install.log shows that semanage thinks this port is already labelled, but it is not. I am able to manually label the port using semanage after installation to continue my testing.