On RHEL 6.2, we're using httpd on a host as a front-end proxy for Tomcat on another host, and we also have mod_status configured to listen on a non-standard port to provide status info to a monitoring tool. Therefore, we need httpd to 1) establish network connections, and 2) listen on a non-standard port.
The default targeted policy (currently in permissive mode) only allows httpd to listen on a defined list of ports (semanage port -l | grep http_port_t
), and won't allow httpd to make outbound network connections. aureport -a
shows the AVC denials when httpd tries to bind to the custom status port, and when it tries to connect to the AJP ports on the other host.
I found two solutions, but one seems too permissive, and the other too brittle (i.e. likely to break upon policy upgrade).
"Broad" solution
I used audit2allow
to generate a local policy source, then checkmodule
to compile it, semodule_package
to generate a policy package, and semanage
to start enforcing it. I then restarted httpd, and confirmed that no AVC denials were generated. The local policy generated by audit2allow used the following grant:
allow httpd_t port_t:tcp_socket { name_bind name_connect };
which allows httpd to bind to any port (not just those listed in http_port_t), and to connect to any port. The pro of this approach is that its contained in a local policy, and won't get overridden on the next yum update
. The con is that it grants more broad permission than is necessary; httpd can bind and connect to any port.
"Narrow" solution
The alternative for binding is to use the following command to add our custom port to the http_port_t list:
semanage port -a -t http_port_t -p tcp (custom-port-number)
I know I can see the list of ports under http_port_t using semanage port -l | grep http_port_t
, but I don't know where this list is stored, and don't know if the next yum update
with a new policy will overwrite the list.
The alternative for connecting is to use the following command to create a new port list:
semanage port -a -t ajp_port_t -p tcp 9010
and then create a local policy with the following:
allow httpd_t ajp_port_t:tcp_socket { name_connect };
Just like the augmented http_port_t list, I don't know if my new ajp_port_t
list will survive installation of a new targeted policy version.