Am 28.07.2018 um 11:19 schrieb Peter Boy:
In F28 I try to connect from an Apache to a tomcat container, both
installed on the same server, using AJP protocol, but SELinux denies access.
I (try to) use standard port 8009:
[root@camena ~]# semanage port -l | grep http
http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
But a look at audit.log shows:
type=AVC msg=audit(1532760423.923:2154): avc: denied { name_connect } for pid=6231
comm="httpd"
dest=8009
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=1
The same happens if I try to connect using a non-standard port (8210, after using
semanage to add that port to http_port_t). It is the identical message besides the dest.
*aAfter* I delete the local modification using semanage -D I get:
type=AVC msg=audit(1532759778.298:2149): avc: denied { name_connect } for pid=985
comm="httpd"
dest=8210
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=1
On RHEL7 / CentOS7 everything works just fine.
I couldn’t find a clean search the web. So, any help much appreciated.
Thanks
Peter
Piping the AVC message into audit2why isn't helpful?
Please check "setsebool -P httpd_can_network_connect=1"
Alexander