Hello,
I was wondering if any one has seen issues with selinux name_bind denials
that result from having IP:PORT bindings for services to specific IP
addresses managed on an interface under NetworkManager's control?
I do realize that people will probably say stop using NetworkManager, and I
may, but the behavior is strange, and I'd like to have a better
understanding of what's going on.
The config is like so:
# nmcli c mod eth0 ipv4.addresses 192.168.1.10/24,192.168.1.11/24
# nmcli c down eth0
# nmcli c up eth0
# getenforce
Enforcing
# systemctl start httpd
<errors> permission denied binding to 192.168.1.10:443
Apache has two simple IP based VHosts, site1 and site2, with different (and
correct dns records and ssl certs). I'm snipping the config because I know
the Apache config works.
Listen 443
<VirtualHost 192.168.1.10:443>
...
<VirtualHost 192.168.1.11:443>
...
I find the denial strange. I've done some testing such as removing one
VHost's config and adding a NIC to the VM (eth1) and reconfigure to have 1
IP on each NIC and use both Vhosts. Either way, the selinux denial
disappears and everything works. All the packaged selinux policy relating
to httpd_t and access to port 443 is correct.
I don't doubt that if I ditched NetworkManager and went for eth0:0 and
eth0:1 for the IP interfaces, all would be well. I'd just like to see if
anyone has some input on the issue.
--Sean
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
