Am 28.07.2018 um 11:19 schrieb Peter Boy:
In F28 I try to connect from an Apache to a tomcat container, both installed on the same server, using AJP protocol, but SELinux denies access.
I (try to) use standard port 8009:
[root@camena ~]# semanage port -l | grep http
http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
But a look at audit.log shows:
type=AVC msg=audit(1532760423.923:2154): avc: denied { name_connect } for pid=6231 comm="httpd"
dest=8009
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=1
The same happens if I try to connect using a non-standard port (8210, after using semanage to add that port to http_port_t). It is the identical message besides the dest.
*aAfter* I delete the local modification using semanage -D I get:
type=AVC msg=audit(1532759778.298:2149): avc: denied { name_connect } for pid=985 comm="httpd"
dest=8210
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=1
On RHEL7 / CentOS7 everything works just fine.
I couldn’t find a clean search the web. So, any help much appreciated.
Thanks
Peter
Piping the AVC message into audit2why isn't helpful?
Please check "setsebool -P httpd_can_network_connect=1"
Alexander
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx/message/QTPQA6CBRVPOUKIAEGB7RCTYTDZHMESS/
