Previous Entry Share Next Entry
I want my apache daemon to listen on a different port but SELinux is preventing it, What do I do?
danwalsh
In Fedora Core 5/6 and RHEL 5. We have made it easier to customize certain common parts of SELinux. In previous releases of SELinux if you wanted to change simple things like which port a daemon could listen to, you would need to write policy. Now we have the semanage utility.

SELinux assigns types to all network ports on a system. By default all ports are less then 1024 are labeled reserved_port_t and all ports > 1024 are labeled port_t. If a port is assigned to a particular type
say the http port 80, it has an assigned type of http_port_t. If you want to look at all the assigned ports in SELinux, you can use the semanage tool, semanage port -l.

So if you executed

semanage port -l | grep http
http_cache_port_t tcp 3128, 8080, 8118
http_cache_port_t udp 3130
http_port_t tcp 80, 443, 488, 8008, 8009, 8443
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989

Here we see http_port_t is assigned to ports 80, 443, 488, 8008, 8009, 8443

The policy is written to allow httpd_t http_port_t:tcp_socket name_bind;

This means the apache command can "bind" to an port that is labeled http_port_t.

So lets say you want to run httpd on port 81.

So you edit /etc/httpd/http.conf

and change this line
Listen 80
to
Listen 81


Now restart the daemon.
service httpd restart
Stopping httpd: [ OK ]
Starting httpd: (13)Permission denied: make_sock: could not bind to address [::]:81
(13)Permission denied: make_sock: could not bind to address 0.0.0.0:81
no listening sockets available, shutting down
Unable to open logs
[FAILED]

Now the daemon fails to start because it can not bind to port 81.

This generates an AVC that looks like

----
time->Tue Dec 12 17:37:49 2006
type=SYSCALL msg=audit(1165963069.248:852): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bf96a830 a2=b5b1e8 a3=9e58b68 items=0 ppid=21133 pid=21134 auid=3267 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts10 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1165963069.248:852): avc: denied { name_bind } for pid=21134 comm="httpd" src=81 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket

To fix this you can use semanage to add the port

semanage port -a -t http_port_t -p tcp 81

service httpd start
Starting httpd: [ OK ]


BTW setroubleshoot reported

Dec 12 17:37:51 localhost setroubleshoot: SELinux is preventing the /usr/sbin/httpd (httpd_t) from binding to port 81. For complete SELinux messages. run sealert -l a666076c-b050-4bed-ba88-38bc37681214

And running
sealert -H -l a666076c-b050-4bed-ba88-38bc37681214

Summary

SELinux is preventing the /usr/sbin/httpd (httpd_t) from binding to port 81.

Detailed Description

SELinux has denied the /usr/sbin/httpd from binding to a network port 81 which does not have an SELinux type associated with it. If /usr/sbin/httpd is supposed to be allowed to listen on this port, you can use the semanage command to add this port to a port type that httpd_t can bind to. semanage port -L will list all port types. Please file a bug report against the selinux-policy package. If /usr/sbin/httpd is not supposed to bind to this port, this could signal a intrusion attempt.

Allowing Access

If you want to allow /usr/sbin/httpd to bind to this port semanage port -a -t PORT_TYPE 81 Where PORT_TYPE is a type that httpd_t can bind.

Additional Information


Source Context:  user_u:system_r:httpd_t
Target Context:  system_u:object_r:reserved_port_t
Target Objects:  None [ tcp_socket ]
Affected RPM Packages:  httpd-2.2.3-6.el5 [application]
Policy RPM:  selinux-policy-2.4.6-9.el5
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  plugins.bind_ports
Host Name:  localhost.localdomain
Platform:  Linux localhost.localdomain 2.6.18-1.2747.el5 #1 SMP Thu Nov 9 18:55:30 EST 2006 i686 i686
Alert Count:  2
Line Numbers:   

Raw Audit Messages
:

avc: denied { name_bind } for comm="httpd" egid=0 euid=0 exe="/usr/sbin/httpd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=21134 scontext=user_u:system_r:httpd_t:s0 sgid=0 src=81 subj=user_u:system_r:httpd_t:s0 suid=0 tclass=tcp_socket tcontext=system_u:object_r:reserved_port_t:s0 tty=pts10 uid=0


  • 1

watch it

(Anonymous)
hello there!
Very like it!
I like it a lot! Good work, keep it up. We enjoyed visiting your website very much.

Sponsored links:

http://oxycontin-on.blogspot.com/ oxycontin

See ya!

info4U

(Anonymous)
good day!
Keep up this great resource.
We enjoyed visiting your website very much. You have to look at this too.

Try this - very useful:

http://lortab-bo.blogspot.com/ lortab

Ciao!

Org/ lortab Thank's.   At Fri Jan AM EST ,   Anonymous said. . . Hi all. Keep up this great resource.

Org/ lortab Thank's.   At Fri Jan AM EST ,   Anonymous said. . . Hi all. Keep up this great resource.

When hsould we plan our departure?

(Anonymous)
Hello


Bye

People get ready

(Anonymous)
MESSAGE

Interesting post

(Anonymous)
Your article is very informative and helped me further.

Thanks, David

Thanks!

(Anonymous)
Been trying to get my Fedora/Apache server to listen on port 81, as well, to run a development version of the port 80 site, and couldn't figure out why apache couldn't bind. Figured it might have something to do with selinux, since I couldn't find any other reason, and found your article via Google. Helped me out a great deal--thank you.

bezTJGTPWTXSPY

(Anonymous)
WDaL9b hi good site thx http://peace.com

LINKS

(Anonymous)
Hello, nice site look this: End ^) See you

LINKS

(Anonymous)
Hello, nice site look this: End ^) See you

Re: Thanks!

(Anonymous)
Same here. Thanks a lot.

aReACWNjwmvpGTJBf

(Anonymous)
jDRvVW hi great site thx http://peace.com

UAYBYuZxroVipHehWhb

(Anonymous)
WlNmwn hi good site thx http://peace.com

nrzmdiZXmh

(Anonymous)
mnpKHh hi nice site thx http://peace.com

ulwNlUyxAZlJn

(Anonymous)
hi nice site thx

EeUVlonbKIievsTfSG

(Anonymous)
CAMLi2 hi nice site thx http://peace.com

edzbXVHymOu

(Anonymous)
spam_39.txt;10;10

tHKBwwpIYGl

(Anonymous)
VyaIuv nice site! http://gov.com

Easy to follow instruction on how to fix the problem I was experiencing.
Thank you

  • 1
?

Log in