setroubleshoot: SELinux is preventing the squid (squid_t) from binding to port 5000 Error and Solution

Posted on in Categories last updated July 15, 2010

I’ve setup Squid Proxy server as described here, but I’m getting errors which read as follows:

Jul 14 15:09:02 server1 squid[5315]: Squid Parent: child process 5317 started
Jul 14 15:09:02 server1 squid[5317]: Cannot open HTTP Port
Jul 14 15:09:02 server1 squid[5315]: Squid Parent: child process 5317 exited due to signal 6
Jul 14 15:09:02 server1 setroubleshoot: SELinux is preventing the squid (squid_t) from binding to port 5000. For complete SELinux messages. run sealert -l 1cf3c788-35f7-4752-8439-92a1d0719466

How do I fix this problem?

The default port for Squid is 3128 and you’ve changed it to 5000. The SELinux which is part of RHEL / CentOS / Fedora prevents running squid on any other port. Type the following command to see detailed message:
sealert -l 1cf3c788-35f7-4752-8439-92a1d0719466
Sample outputs:

sealert -l 1cf3c788-35f7-4752-8439-92a1d0719466


SELinux is preventing the squid (squid_t) from binding to port 5000.

Detailed Description:

SELinux has denied the squid from binding to a network port 5000 which does not
have an SELinux type associated with it. If squid is supposed to be allowed to
listen on this port, you can use the semanage command to add this port to a port
type that squid_t can bind to. semanage port -l will list all port types. Please
file a bug report ( against
the selinux-policy package. If squid is not supposed to bind to this port, this
could signal a intrusion attempt. If this system is running as an NIS Client,
turning on the allow_ypbind boolean, may fix the problem. setsebool -P

Allowing Access:

If you want to allow squid to bind to this port semanage port -a -t PORT_TYPE -p
PROTOCOL 5000 Where PORT_TYPE is a type that squid_t can bind and PROTOCOL is
udp or tcp.

Additional Information:

Source Context                root:system_r:squid_t
Target Context                system_u:object_r:port_t
Target Objects                None [ tcp_socket ]
Source                        squid
Source Path                   /usr/sbin/squid
Port                          5000
Source RPM Packages           squid-2.6.STABLE21-6.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-279.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   bind_ports
Host Name           
Platform                      Linux 2.6.18-194.8.1.el5 #1
                              SMP Wed Jun 23 10:52:51 EDT 2010 x86_64 x86_64
Alert Count                   5
First Seen                    Wed Jul 14 15:09:02 2010
Last Seen                     Wed Jul 14 15:09:15 2010
Local ID                      1cf3c788-35f7-4752-8439-92a1d0719466
Line Numbers                  

Raw Audit Messages     type=AVC msg=audit(1279138155.644:158): avc:  denied  { name_bind } for  pid=5366 comm="squid" src=5000 scontext=root:system_r:squid_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1279138155.644:158): arch=c000003e syscall=49 success=no exit=-13 a0=11 a1=7ffff9929280 a2=10 a3=7ffff992929c items=0 ppid=5315 pid=5366 auid=0 uid=23 gid=23 euid=0 suid=0 fsuid=0 egid=23 sgid=23 fsgid=23 tty=(none) ses=1 comm="squid" exe="/usr/sbin/squid" subj=root:system_r:squid_t:s0 key=(null)

But, How Do I Fix This Problem and Use Port 5000 for Squid?

Type the following command to add a new SELinux port mapping for the Squid service:
# semanage port -a -t http_cache_port_t -p tcp 5000
# service squid start
# chkconfig squid on
# tail -f /var/log/messages

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

Leave a Comment