Since apache is confined in default SELinux policy on CentOS/Fedora/RHEL (and also in all SELinux enabled distros using reference policy). This means that apache process can't connect to funcwebd port (51236) unless we use one of the following: 1. Set httpd_can_network_connect # setsebool -p httpd_can_network_connect = 1 This basically means that httpd process can connect to port he wants. This obviously gives httpd much more power than it needs. 2. Use semanage to mark 51236 port as http_port_t: # semanage port -a -t http_port_t -p tcp 51236 This basically means that 51236 is one of the apache's own ports so he can connect to it without any problems. 3. Ship our own loadable SELinux policy: module funcweb 0.1; require { type httpd_t; type port_t; attribute port_type; class tcp_socket name_connect; } type funcweb_port_t, port_type; allow httpd_t funcweb_port_t:tcp_socket name_connect; Save above as funcweb.te, compile and load this module: # checkmodule -M -m -o funcweb.mod funcweb.te # semodule_package -o funcweb.pp -m funcweb.mod # semodule -i funcweb.pp Now we have to specify which port(s) should be marked as funcweb_port_t: # semanage port -a -t funcweb_port_t -p tcp 51236 I've only done some limited testing on CentOS5 and FC8 but it's simple so it should be working ok. I'm not sure about some older RHELs with some ancient SELinux.. Does RHEL4 support loadable policy? I'll probably have to check that. I personaly like 3rd option the most. Any comments? _______________________________________________ Func-list mailing list Func-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/func-list