8

On RHEL 6.2, we're using httpd on a host as a front-end proxy for Tomcat on another host, and we also have mod_status configured to listen on a non-standard port to provide status info to a monitoring tool. Therefore, we need httpd to 1) establish network connections, and 2) listen on a non-standard port.

The default targeted policy (currently in permissive mode) only allows httpd to listen on a defined list of ports (semanage port -l | grep http_port_t), and won't allow httpd to make outbound network connections. aureport -a shows the AVC denials when httpd tries to bind to the custom status port, and when it tries to connect to the AJP ports on the other host.

I found two solutions, but one seems too permissive, and the other too brittle (i.e. likely to break upon policy upgrade).

"Broad" solution

I used audit2allow to generate a local policy source, then checkmodule to compile it, semodule_package to generate a policy package, and semanage to start enforcing it. I then restarted httpd, and confirmed that no AVC denials were generated. The local policy generated by audit2allow used the following grant:

allow httpd_t port_t:tcp_socket { name_bind name_connect };

which allows httpd to bind to any port (not just those listed in http_port_t), and to connect to any port. The pro of this approach is that its contained in a local policy, and won't get overridden on the next yum update. The con is that it grants more broad permission than is necessary; httpd can bind and connect to any port.

"Narrow" solution

The alternative for binding is to use the following command to add our custom port to the http_port_t list:

semanage port -a -t http_port_t -p tcp (custom-port-number)

I know I can see the list of ports under http_port_t using semanage port -l | grep http_port_t, but I don't know where this list is stored, and don't know if the next yum update with a new policy will overwrite the list.

The alternative for connecting is to use the following command to create a new port list:

semanage port -a -t ajp_port_t -p tcp 9010

and then create a local policy with the following:

allow httpd_t ajp_port_t:tcp_socket { name_connect };

Just like the augmented http_port_t list, I don't know if my new ajp_port_t list will survive installation of a new targeted policy version.

Improve this question

1 Answer 1

Reset to default
4

semanage creates new modules which are not under the control of the policy package. When the policy package is upgraded, these modules will remain and will be applied to the new policy when it is loaded.

Improve this answer
1
  • 2
    Thanks! I looked into this further and found that semanage port commands caused the creation or modification of /etc/selinux/(policy-name)/modules/active/ports.local. I also was able to define a new port list (e.g. ajp_port_t) in a local policy, activate that policy, and then use semanage to populate ajp_port_t.
    – Eric Rath
    Feb 24, 2012 at 20:18

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .