setroubleshoot: SELinux is preventing the squid (squid_t) from binding to port 5000 Error and Solution

by on July 15, 2010 · 0 comments· LAST UPDATED July 15, 2010

in

I've setup Squid Proxy server as described here, but I'm getting errors which read as follows:

Jul 14 15:09:02 server1 squid[5315]: Squid Parent: child process 5317 started
Jul 14 15:09:02 server1 squid[5317]: Cannot open HTTP Port
Jul 14 15:09:02 server1 squid[5315]: Squid Parent: child process 5317 exited due to signal 6
Jul 14 15:09:02 server1 setroubleshoot: SELinux is preventing the squid (squid_t) from binding to port 5000. For complete SELinux messages. run sealert -l 1cf3c788-35f7-4752-8439-92a1d0719466

How do I fix this problem?

The default port for Squid is 3128 and you've changed it to 5000. The SELinux which is part of RHEL / CentOS / Fedora prevents running squid on any other port. Type the following command to see detailed message:
sealert -l 1cf3c788-35f7-4752-8439-92a1d0719466
Sample outputs:

sealert -l 1cf3c788-35f7-4752-8439-92a1d0719466
Summary:
SELinux is preventing the squid (squid_t) from binding to port 5000.
Detailed Description:
SELinux has denied the squid from binding to a network port 5000 which does not
have an SELinux type associated with it. If squid is supposed to be allowed to
listen on this port, you can use the semanage command to add this port to a port
type that squid_t can bind to. semanage port -l will list all port types. Please
file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against
the selinux-policy package. If squid is not supposed to bind to this port, this
could signal a intrusion attempt. If this system is running as an NIS Client,
turning on the allow_ypbind boolean, may fix the problem. setsebool -P
allow_ypbind=1.
Allowing Access:
If you want to allow squid to bind to this port semanage port -a -t PORT_TYPE -p
PROTOCOL 5000 Where PORT_TYPE is a type that squid_t can bind and PROTOCOL is
udp or tcp.
Additional Information:
Source Context                root:system_r:squid_t
Target Context                system_u:object_r:port_t
Target Objects                None [ tcp_socket ]
Source                        squid
Source Path                   /usr/sbin/squid
Port                          5000
Host                          server1.nixcraft.net.in
Source RPM Packages           squid-2.6.STABLE21-6.el5
Target RPM Packages
Policy RPM                    selinux-policy-2.4.6-279.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   bind_ports
Host Name                     server1.nixcraft.net.in
Platform                      Linux server1.nixcraft.net.in 2.6.18-194.8.1.el5 #1
                              SMP Wed Jun 23 10:52:51 EDT 2010 x86_64 x86_64
Alert Count                   5
First Seen                    Wed Jul 14 15:09:02 2010
Last Seen                     Wed Jul 14 15:09:15 2010
Local ID                      1cf3c788-35f7-4752-8439-92a1d0719466
Line Numbers
Raw Audit Messages
host=server1.nixcraft.net.in type=AVC msg=audit(1279138155.644:158): avc:  denied  { name_bind } for  pid=5366 comm="squid" src=5000 scontext=root:system_r:squid_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
host=server1.nixcraft.net.in type=SYSCALL msg=audit(1279138155.644:158): arch=c000003e syscall=49 success=no exit=-13 a0=11 a1=7ffff9929280 a2=10 a3=7ffff992929c items=0 ppid=5315 pid=5366 auid=0 uid=23 gid=23 euid=0 suid=0 fsuid=0 egid=23 sgid=23 fsgid=23 tty=(none) ses=1 comm="squid" exe="/usr/sbin/squid" subj=root:system_r:squid_t:s0 key=(null)

But, How Do I Fix This Problem and Use Port 5000 for Squid?

Type the following command to add a new SELinux port mapping for the Squid service:
# semanage port -a -t http_cache_port_t -p tcp 5000
# service squid start
# chkconfig squid on
# tail -f /var/log/messages

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 0 comments… add one now }

Leave a Comment

Tagged as: , , , , , , , , , , , , , , , , , , , , ,

Previous Faq:

Next Faq: