mirror of https://github.com/mkerrisk/man-pages
375c65a9c2
Recently I had to troubleshoot a problem where a connect() call was returning EACCES: 17648 socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 37 17648 connect(37, {sa_family=AF_INET, sin_port=htons(8081), sin_addr=inet_addr("10.12.1.201")}, 16) = -1 EACCES (Permission denied) I've traced this to SELinux policy denying the connection. This is on a Fedora 23 VM: $ cat /etc/redhat-release Fedora release 23 (Twenty Three) $ uname -a Linux mako-fedora-01 4.8.13-100.fc23.x86_64 #1 SMP Fri Dec 9 14:51:40 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux The manpage says this can happen when connecting to a broadcast address, or when a local firewall rule blocks the connection. However, the address above is unicast, and using 'wget' from another account to access the URL works fine. The context is that we're building an OS image, and this involves downloading RPMs through a proxy. The proxy (polipo) is labelled by SELinux, and I guess there is some sort of policy that says "proxy can only connect to HTTP ports". When trying to connect to a server listening on a port that is not labeled as an HTTP server port, I guess SELinux steps in. With 'setenforce 0', the build works fine. In the kernel sources I see connect() calls security_socket_connect() (see https://elixir.bootlin.com/linux/latest/source/net/socket.c#L1855), which calls whatever security hooks are registered. I see the SELinux hook getting registered at https://elixir.bootlin.com/linux/latest/source/security/selinux/hooks.c#L7047, and setting a perf probe on the call proves that the selinux_socket_connect function gets called (while tcp_v4_connect() is not). Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com> |
||
---|---|---|
man1 | ||
man2 | ||
man3 | ||
man4 | ||
man5 | ||
man6 | ||
man7 | ||
man8 | ||
scripts | ||
CONTRIBUTING | ||
Changes | ||
Changes.old | ||
Makefile | ||
README | ||
man-pages-5.07.Announce | ||
man-pages-5.07.lsm |
README
This package contains Linux man pages for sections 1 through 8. Some more information is given in the 'man-pages-x.y.Announce' file. Homepage ======== For information about the Linux man-pages project, see http://www.kernel.org/doc/man-pages/index.html. Bug reports and contributing ============================ If you have corrections and additions to suggest, see http://www.kernel.org/doc/man-pages/contributing.html (Although there is a mirror of this repository on GitHub, please don't report issues via the GitHub issue tracker!) For further information on contributing, see the CONTRIBUTING file. Installing and uninstalling =========================== "make install" will copy these man pages to /usr/share/man/man[1-8]. To install to a path different from /usr, use "make install prefix=/install/path". "make remove" or "make uninstall" will remove any man page in this distribution from its destination. Use with caution, and remember to use "prefix" if desired, as with the "install" target. "make" or "make all" will perform "make uninstall" followed by "make install". Copyrights ========== See the 'man-pages-x.y.Announce' file.