I having a rather persistent issue with my Redis
instance. While SELinux
is in enforcing
mode, Redis
server is unable to start:
[root@server ~]# service redis start
Starting redis-server: [ OK ]
But in fact, it did not start as shown by lsof
. It returns no result:
[root@server ~]# lsof -i :6379
To futher confirm the it is not running, there is a redis log:
[5539] 21 Nov 03:44:34 # Opening port 6379: bind: Permission denied
Now, I am pretty new with SELinux
managing so, please bear with me as I might have missed something. This is what I was able to see:
[root@server ~]# semanage port -l | grep "redis"
redis_port_t tcp 6379
[root@server ~]# semanage user -l
SELinux User Prefix MCS Level MCS Range SELinux Roles
....
redis user s0 s0 user_r
....
The above redis
user did not exist initially, but I tried adding it as redis-server
really runs under it. That did not help…
Just to note, Redis server is used internally, so it listens only to 127.0.0.1:6379
.
Does anyone have any ideas?
For the time being, I can put SELinux
in permissive mode, but I would really like to tighten it up and do it "by-the-book".
UPDATE:
[root@server ~]# ausearch -ts recent -m avc
----
time->Thu Nov 24 13:48:13 2016
type=SYSCALL msg=audit(1480013293.595:34717): arch=c000003e syscall=49 success=no exit=-13 a0=4 a1=7ffea866c0f0 a2=10 a3=7ffea866be50 items=0 ppid=1 pid=16468 auid=0 uid=495 gid=495 euid=495 suid=495 fsuid=495 egid=495 sgid=495 fsgid=495 tty=(none) ses=5202 comm="redis-server" exe="/usr/sbin/redis-server" subj=unconfined_u:system_r:redis_t:s0 key=(null)
type=AVC msg=audit(1480013293.595:34717): avc: denied { name_bind } for pid=16468 comm="redis-server" src=6379 scontext=unconfined_u:system_r:redis_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
UPDATE(2)
[root@server ~]# rpm -qa | grep -i redis
redis-2.4.10-1.el6.x86_64
php56w-pecl-redis-2.2.7-1.w6.x86_64
SOLUTION:
Following @Matthew's suggestion, I started analyzing the redis_port_t
and http_port_t
:
[root@server ~]# semanage port -l | grep "redis_port_t"
redis_port_t tcp 6379
[root@server ~]# semanage port -l | grep "http_port_t"
http_port_t tcp 6379, 80, 81, 443, 488, 8008, 8009, 8443, 9000
And there it was! The port 6379
was added to both of port policies! And yes, I know remember doing this when I started the migration 🙁 (shame on me).
So, running this fixed the issue:
semanage port -d -t http_port_t 6379
semanage permissive -d redis_t // I don't need this anymore
service redis restart
lsof -i :6379
And there it was 🙂
redis-ser 4575 redis 4u IPv4 236174 0t0 TCP localhost:6379 (LISTEN)
Best Answer
I think theres something odd going on in that policy of yours.
If you check the audit logs, it says whilst the SELinux source context is correctly labelled as
redis_t
the target context is labelled ashttp_port_t
. This is despite what your policy says, that it should beredis_port_t
.This means whats in the kernel and whats in policy dont match. The port is still 6379 though.
You may want to check what you have configured for your
http_port_t
as well as yourredis_port_t
. As far as I understand, port policy bindings can only have one label per port/protocol, so I suspect whats in your policy store does not reflect whats in your server presently.You may want to try doing a
semodule -B
to rebuild and reload your policy to try to fix the synchronization problem.If no luck, search whats in the port listings for
http_port_t
and update the question.