It looks like SELinux policies block the connection betweeen Redis servers.
It is needed for replication purposes.
* sealert
> root@redis-2 ~]# sealert -a /var/log/audit/audit.log
> 3% done'list' object has no attribute 'split'
> 103% done
> found 1 alerts in /var/log/audit/audit.log
> --------------------------------------------------------------------------------
>
> SELinux is preventing /usr/bin/redis-server from name_connect access on the tcp_socket port 6379.
>
> ***** Plugin catchall (100. confidence) suggests **************************
>
> If you believe that redis-server should be allowed name_connect access on the port 6379 tcp_socket by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # grep redis-server /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
>
>
> Additional Information:
> Source Context system_u:system_r:redis_t:s0
> Target Context system_u:object_r:redis_port_t:s0
> Target Objects port 6379 [ tcp_socket ]
> Source redis-server
> Source Path /usr/bin/redis-server
> Port 6379
> Host <Unknown>
> Source RPM Packages redis-2.8.19-2.el7.x86_64
> Target RPM Packages
> Policy RPM selinux-policy-3.13.1-60.el7_2.7.noarch
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Enforcing
> Host Name redis-2
> Platform Linux redis-2 3.10.0-327.22.2.el7.x86_64 #1 SMP
> Thu Jun 23 17:05:11 UTC 2016 x86_64 x86_64
> Alert Count 250
> First Seen 2016-07-20 21:14:59 UTC
> Last Seen 2016-07-20 21:26:05 UTC
> Local ID 90314588-4f75-485a-bce4-3b8b1742fe8f
>
> Raw Audit Messages
> type=AVC msg=audit(1469049965.377:1214): avc: denied { name_connect } for pid=5668 comm="redis-server" dest=6379 scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:redis_port_t:s0 tclass=tcp_socket
>
>
> type=SYSCALL msg=audit(1469049965.377:1214): arch=x86_64 syscall=connect success=no exit=EACCES a0=5 a1=7f6e8c010df0 a2=10 a3=7fff1db82944 items=0 ppid=1 pid=5668 auid=4294967295 uid=995 gid=993 euid=995 suid=995 fsuid=995 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=redis-server exe=/usr/bin/redis-server subj=system_u:system_r:redis_t:s0 key=(null)
>
> Hash: redis-server,redis_t,redis_port_t,tcp_socket,name_connect
>
> [root@redis-2 ~]#
* sestatus
> [root@redis-2 ~]# sestatus
> SELinux status: enabled
> SELinuxfs mount: /sys/fs/selinux
> SELinux root directory: /etc/selinux
> Loaded policy name: targeted
> Current mode: enforcing
> Mode from config file: enforcing
> Policy MLS status: enabled
> Policy deny_unknown status: allowed
> Max kernel policy version: 28
> [root@redis-2 ~]#
> Policy Type
* kernel-version
> [root@redis-2 ~]# uname -a
> Linux redis-2 3.10.0-327.22.2.el7.x86_64 #1 SMP Thu Jun 23 17:05:11 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
> [root@redis-2 ~]#
* checkpolicy version:
> [root@redis-2 ~]# checkpolicy --version
> 29 (compatibility range 29-15)
> [root@redis-2 ~]#
* libselinux-version:
> [root@redis-2 ~]# yum info installed libselinux
> Loaded plugins: fastestmirror
> Installed Packages
> Name : libselinux
> Arch : x86_64
> Version : 2.2.2
> Release : 6.el7
> Size : 159 k
> Repo : installed
> From repo : anaconda
> Summary : SELinux library and simple utilities
> URL : http://oss.tresys.com/git/selinux.git
> License : Public Domain
> Description : Security-enhanced Linux is a feature of the Linux? kernel and a number
> : of utilities with enhanced security functionality designed to add
> : mandatory access controls to Linux. The Security-enhanced Linux
> : kernel contains new architectural components originally developed to
> : improve the security of the Flask operating system. These
> : architectural components provide general support for the enforcement
> : of many kinds of mandatory access control policies, including those
> : based on the concepts of Type Enforcement?, Role-based Access
> : Control, and Multi-level Security.
> :
> : libselinux provides an API for SELinux applications to get and set
> : process and file security contexts and to obtain security policy
> : decisions. Required for any applications that use the SELinux API.
>
> [root@redis-2 ~]#
* libsemanage:
> [root@redis-2 ~]# yum info installed libsemanage
> Loaded plugins: fastestmirror
> Installed Packages
> Name : libsemanage
> Arch : x86_64
> Version : 2.1.10
> Release : 18.el7
> Size : 220 k
> Repo : installed
> From repo : anaconda
> Summary : SELinux binary policy manipulation library
> URL : http://oss.tresys.com/git/selinux.git
> License : LGPLv2+
> Description : Security-enhanced Linux is a feature of the Linux? kernel and a number
> : of utilities with enhanced security functionality designed to add
> : mandatory access controls to Linux. The Security-enhanced Linux
> : kernel contains new architectural components originally developed to
> : improve the security of the Flask operating system. These
> : architectural components provide general support for the enforcement
> : of many kinds of mandatory access control policies, including those
> : based on the concepts of Type Enforcement?, Role-based Access
> : Control, and Multi-level Security.
> :
> : libsemanage provides an API for the manipulation of SELinux binary
> : policies. It is used by checkpolicy (the policy compiler) and similar
> : tools, as well as by programs like load_policy that need to perform
> : specific transformations on binary policies such as customizing policy
> : boolean settings.
>
> [root@redis-2 ~]#
* policy:
> [root@redis-2 ~]# grep redis-server /var/log/audit/audit.log | audit2allow
> #============= redis_t ==============
> allow redis_t redis_port_t:tcp_socket name_connect;
> [root@redis-2 ~]#
In case of any further questions, feel free to ask me.
I think it would be nice to have a boolean value for this.
— K.
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
