w3c validator fails to hand off to validator.nu

Dominic Cronin asked:

I am setting up a local instance of the W3c validator on a computer running Centos 6.4. I have installed it using yum. For HTML5 validation, the validator hands off to a separate implementation, available from validator.nu

I can run the validator.nu implementation succesfully under Jetty, using the script provided with the distribution. I can test this successfully by pointing a browser directly at localhost:8888 and using it to validate a web site.

When I try to use my w3c validator to validate an HTML5 site, it attempts the hand-off and fails with the following message:

Checking the Document Type of this document requires the help of an external tool which was either not enabled in this validator, or is currently unavailable. Check in the validator’s system configuration that HTML5 Validator is enabled and functional.
The error encountered was: 500 Can’t connect to localhost:8888 (connect: Permission denied)

Disabling the firewall does not help. Neither apache (which hosts the w3c validator) nor Jetty (which hosts the validator.nu validator) appear to log anything relevant.

What relevant differences might there be between hitting localhost:8888 from a browser and from a cgi-bin running under apache?

Update: /var/log/audit/audit/log has the following:

type=AVC msg=audit(1393503835.221:31235): avc: denied { name_connect } for pid=40041 comm=”check” dest=8888 scontext=unconfined_u:system_r:httpd_w3c_validator_script_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1393503835.221:31235): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=2340db0 a2=10 a3=21936e0 items=0 ppid=36416 pid=40041 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm=”check” exe=”/usr/bin/perl” subj=unconfined_u:system_r:httpd_w3c_validator_script_t:s0 key=(null)

My answer:

You have an SELinux issue. Your httpd_w3c_validator_script_t is being denied access to open a TCP socket.

However, I can see in the current SELinux policy that this should be allowed.

allow httpd_w3c_validator_script_t httpd_w3c_validator_script_t : tcp_socket { ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown } ;

I suggest you update the selinux-policy package on the affected system. (And while you’re at it, update the rest of the system too. We’re on 6.5 now…) If this doesn’t resolve the problem, report a bug upstream.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.