It looks like SELinux policies block the connection betweeen Redis servers.
It is needed for replication purposes.
* sealert
root@redis-2 ~]# sealert -a /var/log/audit/audit.log
3% done'list' object has no attribute 'split'
103% done
found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------
SELinux is preventing /usr/bin/redis-server from name_connect access on the tcp_socket port 6379.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that redis-server should be allowed name_connect access on the port 6379 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep redis-server /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:redis_t:s0
Target Context system_u:object_r:redis_port_t:s0
Target Objects port 6379 [ tcp_socket ]
Source redis-server
Source Path /usr/bin/redis-server
Port 6379
Host <Unknown>
Source RPM Packages redis-2.8.19-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-60.el7_2.7.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name redis-2
Platform Linux redis-2 3.10.0-327.22.2.el7.x86_64 #1 SMP
Thu Jun 23 17:05:11 UTC 2016 x86_64 x86_64
Alert Count 250
First Seen 2016-07-20 21:14:59 UTC
Last Seen 2016-07-20 21:26:05 UTC
Local ID 90314588-4f75-485a-bce4-3b8b1742fe8f
Raw Audit Messages
type=AVC msg=audit(1469049965.377:1214): avc: denied { name_connect } for pid=5668 comm="redis-server" dest=6379 scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:redis_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1469049965.377:1214): arch=x86_64 syscall=connect success=no exit=EACCES a0=5 a1=7f6e8c010df0 a2=10 a3=7fff1db82944 items=0 ppid=1 pid=5668 auid=4294967295 uid=995 gid=993 euid=995 suid=995 fsuid=995 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=redis-server exe=/usr/bin/redis-server subj=system_u:system_r:redis_t:s0 key=(null)
Hash: redis-server,redis_t,redis_port_t,tcp_socket,name_connect
[root@redis-2 ~]#
* sestatus
[root@redis-2 ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
[root@redis-2 ~]#
Policy Type
* kernel-version
[root@redis-2 ~]# uname -a
Linux redis-2 3.10.0-327.22.2.el7.x86_64 #1 SMP Thu Jun 23 17:05:11 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
[root@redis-2 ~]#
* checkpolicy version:
[root@redis-2 ~]# checkpolicy --version
29 (compatibility range 29-15)
[root@redis-2 ~]#
* libselinux-version:
[root@redis-2 ~]# yum info installed libselinux
Loaded plugins: fastestmirror
Installed Packages
Name : libselinux
Arch : x86_64
Version : 2.2.2
Release : 6.el7
Size : 159 k
Repo : installed
>From repo : anaconda
Summary : SELinux library and simple utilities
URL : http://oss.tresys.com/git/selinux.git
License : Public Domain
Description : Security-enhanced Linux is a feature of the Linux? kernel and a number
: of utilities with enhanced security functionality designed to add
: mandatory access controls to Linux. The Security-enhanced Linux
: kernel contains new architectural components originally developed to
: improve the security of the Flask operating system. These
: architectural components provide general support for the enforcement
: of many kinds of mandatory access control policies, including those
: based on the concepts of Type Enforcement?, Role-based Access
: Control, and Multi-level Security.
:
: libselinux provides an API for SELinux applications to get and set
: process and file security contexts and to obtain security policy
: decisions. Required for any applications that use the SELinux API.
[root@redis-2 ~]#
* libsemanage:
[root@redis-2 ~]# yum info installed libsemanage
Loaded plugins: fastestmirror
Installed Packages
Name : libsemanage
Arch : x86_64
Version : 2.1.10
Release : 18.el7
Size : 220 k
Repo : installed
>From repo : anaconda
Summary : SELinux binary policy manipulation library
URL : http://oss.tresys.com/git/selinux.git
License : LGPLv2+
Description : Security-enhanced Linux is a feature of the Linux? kernel and a number
: of utilities with enhanced security functionality designed to add
: mandatory access controls to Linux. The Security-enhanced Linux
: kernel contains new architectural components originally developed to
: improve the security of the Flask operating system. These
: architectural components provide general support for the enforcement
: of many kinds of mandatory access control policies, including those
: based on the concepts of Type Enforcement?, Role-based Access
: Control, and Multi-level Security.
:
: libsemanage provides an API for the manipulation of SELinux binary
: policies. It is used by checkpolicy (the policy compiler) and similar
: tools, as well as by programs like load_policy that need to perform
: specific transformations on binary policies such as customizing policy
: boolean settings.
[root@redis-2 ~]#
* policy:
[root@redis-2 ~]# grep redis-server /var/log/audit/audit.log | audit2allow
#============= redis_t ==============
allow redis_t redis_port_t:tcp_socket name_connect;
[root@redis-2 ~]#
In case of any further questions, feel free to ask me.
I think it would be nice to have a boolean value for this.
— K.
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
