Find the answer to your Linux question:
Results 1 to 6 of 6
Normal Operation: Transmission daemon is running on a dedicated server. Connecting to the transmission web interface from a remote machine: Entering the server IP followed by the transmission port number ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Newbie blnl's Avatar
    Join Date
    Jan 2009
    Location
    The Netherlands
    Posts
    168

    Question [SOLVED] Help! squid, transmission, SELinux


    Normal Operation: Transmission daemon is running on a dedicated server. Connecting to the transmission web interface from a remote machine: Entering the server IP followed by the transmission port number (i.e. http://192.168.1.220:9091) in the web browser -> a window pops up asking for the credentials -> entering my credentials -> transmission web interface opens in the web browser.

    Problem Description: Can't open the transmission web interface from a remote machine behind squid proxy:
    Read Error
    The system returned: (107) Transport endpoint is not connected

    Bypassing squid proxy enables me to open the transmission web interface. Also from a WinXP machine the transmission web interface is accessible.
    Besides the squid error (above), SELinux alert appears too:


    Can someone help me with this?
    I'm not sure if the problem is in squid or SELinux configuration.
    Fedora_20@Dell_Latitude_E6410
    Ubuntu_14.04_LTS@HP_Compaq_DC7100

  2. #2
    Linux Enthusiast meton_magis's Avatar
    Join Date
    Oct 2006
    Location
    arizona
    Posts
    699
    what distro are you running on?

    I'm guessing there is a boolean in selinux you can check (or uncheck) to enable squid to connect to nonstandard ports. Also, the default squid config does not allow connections to unknown ports, you may need to change this. Is this a production server machine, or are you just dinking around on your desktop / spare computer?

    I would suggest disabling selinux, trying it, and if it works, you have your problem, re-enable selinux, find the boolean to (un)check, and you should be good to go.
    New to the internet, technical forums, or the hacker / open source community??
    Read this to learn good posting habits http://www.catb.org/~esr/faqs/smart-questions.html

    RHCE for RHEL version 5
    RHCT for RHEL version 4

  3. #3
    Linux Newbie blnl's Avatar
    Join Date
    Jan 2009
    Location
    The Netherlands
    Posts
    168
    Distro = Fedora 12
    This is not a production server, transmission is installed on a NAS, while squid controlls on other machines contolles internet access (kids must do their homework too).

    Thanks for the sugestion, I'll try setting SELinux to permissive and see what happens.

    the default squid config does not allow connections to unknown ports
    Yes I'm using default squid.config + time ACL + alowed sites & forbiden sites. However, according to my configuration port 9091 should be allowed:
    Code:
    acl SSL_ports port 443
    acl Safe_ports port 80		# http
    acl Safe_ports port 21		# ftp
    acl Safe_ports port 443		# https
    acl Safe_ports port 70		# gopher
    acl Safe_ports port 210		# wais
    acl Safe_ports port 1025-65535	# unregistered ports
    acl Safe_ports port 280		# http-mgmt
    acl Safe_ports port 488		# gss-http
    acl Safe_ports port 591		# filemaker
    acl Safe_ports port 777		# multiling http
    acl CONNECT method CONNECT
    Fedora_20@Dell_Latitude_E6410
    Ubuntu_14.04_LTS@HP_Compaq_DC7100

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Newbie blnl's Avatar
    Join Date
    Jan 2009
    Location
    The Netherlands
    Posts
    168

    Post

    I tried disabling SELinux as follows:
    Code:
    [root@nc6000 boris]# echo 0 > /selinux/enforce
    [root@nc6000 boris]# getenforce
    Permissive
    [root@nc6000 boris]# echo 1 > /selinux/enforce
    [root@nc6000 boris]# getenforce
    Enforcing
    The problem disappears while in "Permissive" mode. (squid proxy is active during this experiment.)
    In "Permissive" I can access the transmission web interface. As soon as I switch back to "Enforcing" mode the connection is broken, and the following message appears:

    Meaning: SELinux is blocking the connection.

    But then, while still in "Enforcing" mode, when I bypass the squid proxy the problem disappears as well. As soon as I reactivate the squid proxy the same message appears:

    Meaning: squid is also blocking the connection.

    Conclusion: transmission interface is blocked only when both SELinux and squid are active.
    Which one is to blame?
    Iím confident that my squid settings are all right. It is supported by the fact that squid functions properly when SELinux is in permissive mode. That means SELinux is guilty.

    According to www, there are several options to try out:
    1. turn off SELinux for Squid
      Code:
      setsebool -P squid_disable_trans 1
    2. allow Squid to connect to any port
      Code:
      setsebool -P squid_connect_any 1
    3. change SELinux policy for port 9091
      Code:
      semanage port -a -t http_port_t -p tcp 9091
    Last edited by blnl; 06-17-2010 at 07:36 AM.
    Fedora_20@Dell_Latitude_E6410
    Ubuntu_14.04_LTS@HP_Compaq_DC7100

  6. #5
    Linux Newbie blnl's Avatar
    Join Date
    Jan 2009
    Location
    The Netherlands
    Posts
    168

    Thumbs up

    The first option does not do anything on my system.
    Code:
    [root@nc6000 addressbook]# setsebool -P squid_disable_trans 1
    libsemanage.dbase_llist_set: record not found in the database (No such file or directory).
    libsemanage.dbase_llist_set: could not set record value (No such file or directory).
    Could not change boolean squid_disable_trans
    Could not change policy booleans
    The other two options worked fine. I chose to change the port policy only. Probably this is better from the security point of view.
    Now I can connect to transmission web interface while squid proxy is active.
    Fedora_20@Dell_Latitude_E6410
    Ubuntu_14.04_LTS@HP_Compaq_DC7100

  7. #6
    Linux Enthusiast meton_magis's Avatar
    Join Date
    Oct 2006
    Location
    arizona
    Posts
    699
    glad to hear it. Selinux problems can be very difficult to pinpoint, but it has come a long way, and solutions tend to be much easier than they once were.
    New to the internet, technical forums, or the hacker / open source community??
    Read this to learn good posting habits http://www.catb.org/~esr/faqs/smart-questions.html

    RHCE for RHEL version 5
    RHCT for RHEL version 4

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •