Redhat – SElinux: allow httpd to connect to a specific port

apache-2.2redhatredisselinux

My system is running CentOS 6.4 with apache2.2.15. SElinux is enforcing and I'm trying to connect to a local instance of redis through my python/wsgi app. I get Error 13, Permission denied. I could fix this via the command:

setsebool -P httpd_can_network_connect

However, I don't exactly want httpd to be able to connect to all tcp ports. How can I specify which ports/networks httpd is allowed to connect to? If I could make a module to allow httpd to connect to port 6379 ( redis ) or any tcp on 127.0.0.1, that would be preferable. Not sure why my paranoia is so strong on this, but hey…

Anyone know?

Best Answer

By default, the SELinux policy will only allow services access to recognized ports associated with those services:

# semanage port -l | egrep '(^http_port_t|6379)'
http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000
# curl http://localhost/redis.php
Cannot connect to redis server.

- add Redis port (6379) to SELinux policy

# semanage port -a -t http_port_t -p tcp 6379
# semanage port -l | egrep '(^http_port_t|6379)'
http_port_t                    tcp      6379, 80, 81, 443, 488, 8008, 8009, 8443, 9000
# curl http://localhost/redis.php
Connected successfully.

You can also install setroubleshoot-server RPM and run: sealert -a /var/log/audit/audit.log - it will give you a nice report with useful suggestions (including command above).

PHP script to test connection:

# cat redis.php 
<?php

$redis=new Redis();
$connected= $redis->connect('127.0.0.1', 6379);

if(!$connected) {
        die( "Cannot connect to redis server.\n" );
}

echo "Connected successfully.\n";

?>

Related Solutions

SELinux – Limit httpd Outbound Connections by Address and Port

The following SELinux policy will be needed to set this up. NOTE: I assume here that the ajp_port_t type does not actually exist on the system currently.

policy_module(myhttpd, 1.0.0)

gen_require(`
        type httpd_t;
')

type ajp_packet_t;
corenet_packet(ajp_packet_t)

type ajp_port_t;
corenet_port(ajp_port_t)

allow httpd_t ajp_port_t:tcp_socket { client_stream_socket_perms name_connect };
allow httpd_t ajp_port_t:packet { flow_in flow_out forward_in forward_out recv send };

Follow this up by the command

semanage port -a -t ajp_port_t -p tcp 9010

To manage the address, thats somewhat more complicated. And your liable to possibly cause the box to stop responding over the network! So be warned.

For this, you'll need this policy module, it permits all domains to send/recv unlabelled packets. If you dont do this first you can lose network because by default nearly all domains have no permissions to send / recv unlabelled packets!

policy_module(unconfined_packets, 1.0.0)
require {
        attribute domain;
        type unlabeled_t;
}

gen_tunable(allow_unlabeled_packets, `true');

tunable_policy(allow_unlabeled_packets, `
        allow domain unlabeled_t:packet { flow_in flow_out forward_in forward_out recv send };
')

You then must mark the packets inbound and outbound from that host using iptables.

iptables -I INPUT -p tcp --sport 9010 -s <src_addr> -j SECMARK --selctx system_u:object_r:ajp_packet_t
iptables -I OUTPUT -p tcp --dport 9010 -d <dst_addr> -j SECMARK --selctx system_u:object_r:ajp_packet_t
iptables -A INPUT -j CONNSECMARK --restore
iptables -A OUTPUT -j CONNSECMARK --save

Redhat – Unable to start the Phusion Passenger – Cannot change the directory – Operation not permitted (errno=1)

There are two approaches:

disable SELinux
go through the SELinux audit log and add exceptions for the service. See here. Essentially you would need to use audit2allow to create the exceptions, restart HTTPD, find the next set of exceptions and repeat until you go them all.

Best Answer

Related Solutions

SELinux – Limit httpd Outbound Connections by Address and Port

Redhat – Unable to start the Phusion Passenger – Cannot change the directory – Operation not permitted (errno=1)

Related Topic