Would someone please explain the reason that httpd should not by default be allowed to connect to http_cache_port_t. What would be the downside to my allowing this? FWIW, httpd seems to work just fine with that connection blocked (the content does get sent), but it causes a flood of SELinux alerts.
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:http_cache_port_t:s0
Target Objects [ tcp_socket ]
Source httpd
Source Path /usr/sbin/httpd
Port 8080
Host omega-3g.local
Source RPM Packages httpd-2.2.15-69.el6.centos.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.7.19-312.el6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name omega-3g.local
Platform Linux omega-3g.local 2.6.32-754.31.1.el6.x86_64 #1
SMP Wed Jul 15 16:02:21 UTC 2020 x86_64 x86_64
Alert Count 33
First Seen Sat 15 Aug 2020 06:48:57 PM CDT
Last Seen Sat 15 Aug 2020 06:49:29 PM CDT
Local ID 9cff892f-b1e6-4823-ae34-e1a3cf532f2f
Raw Audit Messages
type=AVC msg=audit(1597535369.505:23573): avc: denied { name_connect } for pid=3596 comm="httpd" dest=8080 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1597535369.505:23573): arch=x86_64 syscall=connect success=no exit=EACCES a0=a a1=56246d05d160 a2=10 a3=4 items=0 ppid=1 pid=3596 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: httpd,httpd_t,http_cache_port_t,tcp_socket,name_connect
--
Bob Nichols RNichols42@xxxxxxxxxxx
