We have a service mapped to the web application.
So, we need to allow 80 port and 16700 for its backend service.
During login, it will connect to this service for authentication and other parts of data.
in firewall, we allow these two using
firewall-cmd –permanent –add-port=16700/tcp
firewall-cmd –permanent –add-port=80/tcp
If I disable selinux or set to permissive it is working.
If I set enforcing, it is not working.
So, I added below for 80 port.
setsebool -P httpd_can_network_connect on
But, it is dailing the login attempt still, because of 16700 port.
And adding this 16700 to the http_port_t also doesn't work.
semanage port -a -t http_port_t -p tcp 16700
And this 16700 is not there in bool also.
Any suggestion, how to enable this port in selinux?
OS: Redhat 7.4
Best Answer
semanage port -a -t http_port_t -p tcp 16700is the correct action to allow the port in SELinux. If it "doesn't work" then you need to figure out why. Check the error messages you may have received, check the audit log, check the rest of the logs just to be sure.Of course, you also need to open the port in the firewall, and you don't seem to have done that. You changed the configuration on disk, but not the actual running firewall. Open the port with:
It's best practice to not use
--permanentexcept for commands which actually require it, such as adding and removing zones. If you make a mistake adding a port, and lock yourself out, you can simply restart the firewall (or the VM) to recover. If you added a wrong rule as a permanent rule, then as soon as the firewall restarts, you will be locked out and have great difficulty recovering. Once you are sure the running firewall works correctly, you can save it withfirewall-cmd --runtime-to-permanent.