Dan Walsh's Blog - I want my apache daemon to listen on a different port but SELinux is preventing it, What do I do?

Dan Walsh's Blog - I want my apache daemon to listen on a different port but SELinux is preventing it, What do I do?

[entries|archive|friends|userinfo]

danwalsh

[	website	\|	My Website	]
[	userinfo	\|	livejournal userinfo	]
[	archive	\|	journal archive	]

I want my apache daemon to listen on a different port but SELinux is preventing it, What do I do?

[Dec. 12th, 2006|07:20 pm]

In Fedora Core 5/6 and RHEL 5. We have made it easier to customize certain common parts of SELinux. In previous releases of SELinux if you wanted to change simple things like which port a daemon could listen to, you would need to write policy. Now we have the semanage utility.

SELinux assigns types to all network ports on a system. By default all ports are less then 1024 are labeled reserved_port_t and all ports > 1024 are labeled port_t. If a port is assigned to a particular type
say the http port 80, it has an assigned type of http_port_t. If you want to look at all the assigned ports in SELinux, you can use the semanage tool, semanage port -l.

So if you executed

semanage port -l | grep http
http_cache_port_t tcp 3128, 8080, 8118
http_cache_port_t udp 3130
http_port_t tcp 80, 443, 488, 8008, 8009, 8443
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989

Here we see http_port_t is assigned to ports 80, 443, 488, 8008, 8009, 8443

The policy is written to allow httpd_t http_port_t:tcp_socket name_bind;

This means the apache command can "bind" to an port that is labeled http_port_t.

So lets say you want to run httpd on port 81.

So you edit /etc/httpd/http.conf

and change this line
Listen 80
to
Listen 81

Now restart the daemon.
service httpd restart
Stopping httpd: [ OK ]
Starting httpd: (13)Permission denied: make_sock: could not bind to address [::]:81
(13)Permission denied: make_sock: could not bind to address 0.0.0.0:81
no listening sockets available, shutting down
Unable to open logs
[FAILED]

Now the daemon fails to start because it can not bind to port 81.

This generates an AVC that looks like

----
time->Tue Dec 12 17:37:49 2006
type=SYSCALL msg=audit(1165963069.248:852): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bf96a830 a2=b5b1e8 a3=9e58b68 items=0 ppid=21133 pid=21134 auid=3267 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts10 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1165963069.248:852): avc: denied { name_bind } for pid=21134 comm="httpd" src=81 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket

To fix this you can use semanage to add the port

semanage port -a -t http_port_t -p tcp 81

service httpd start
Starting httpd: [ OK ]

BTW setroubleshoot reported

Dec 12 17:37:51 localhost setroubleshoot: SELinux is preventing the /usr/sbin/httpd (httpd_t) from binding to port 81. For complete SELinux messages. run sealert -l a666076c-b050-4bed-ba88-38bc37681214

And running
sealert -H -l a666076c-b050-4bed-ba88-38bc37681214

Summary

SELinux is preventing the /usr/sbin/httpd (httpd_t) from binding to port 81.

Detailed Description

SELinux has denied the /usr/sbin/httpd from binding to a network port 81 which does not have an SELinux type associated with it. If /usr/sbin/httpd is supposed to be allowed to listen on this port, you can use the semanage command to add this port to a port type that httpd_t can bind to. semanage port -L will list all port types. Please file a bug report against the selinux-policy package. If /usr/sbin/httpd is not supposed to bind to this port, this could signal a intrusion attempt.

Allowing Access

If you want to allow /usr/sbin/httpd to bind to this port semanage port -a -t PORT_TYPE 81 Where PORT_TYPE is a type that httpd_t can bind.

Additional Information

Source Context:	user_u:system_r:httpd_t
Target Context:	system_u:object_r:reserved_port_t
Target Objects:	None [ tcp_socket ]
Affected RPM Packages:	httpd-2.2.3-6.el5 [application]
Policy RPM:	selinux-policy-2.4.6-9.el5
Selinux Enabled:	True
Policy Type:	targeted
MLS Enabled:	True
Enforcing Mode:	Enforcing
Plugin Name:	plugins.bind_ports
Host Name:	localhost.localdomain
Platform:	Linux localhost.localdomain 2.6.18-1.2747.el5 #1 SMP Thu Nov 9 18:55:30 EST 2006 i686 i686
Alert Count:	2
Line Numbers:

Raw Audit Messages
:

avc: denied { name_bind } for comm="httpd" egid=0 euid=0 exe="/usr/sbin/httpd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=21134 scontext=user_u:system_r:httpd_t:s0 sgid=0 src=81 subj=user_u:system_r:httpd_t:s0 suid=0 tclass=tcp_socket tcontext=system_u:object_r:reserved_port_t:s0 tty=pts10 uid=0

Link

Comments:

From: (Anonymous)
2007-01-08 07:11 pm (UTC)

watch it

(Link)

hello there!
Very like it!
I like it a lot! Good work, keep it up. We enjoyed visiting your website very much.

Sponsored links:

http://oxycontin-on.blogspot.com/ oxycontin

See ya!

(Reply) (Thread)

From: (Anonymous)
2007-01-09 04:04 am (UTC)

info4U

(Link)

good day!
Keep up this great resource.
We enjoyed visiting your website very much. You have to look at this too.

Try this - very useful:

http://lortab-bo.blogspot.com/ lortab

Ciao!

(Reply) (Thread)

From:

timeaganyz
2008-07-16 07:11 am (UTC)

(Link)

Org/ lortab Thank's. At Fri Jan AM EST , Anonymous said. . . Hi all. Keep up this great resource.

(Reply) (Parent) (Thread)

From:

kittymavex
2008-07-16 05:48 pm (UTC)

Summary

Detailed Description

Allowing Access

Additional Information

watch it

info4U

When hsould we plan our departure?

People get ready

Interesting post

Thanks!

bezTJGTPWTXSPY

LINKS

LINKS

Re: Thanks!

aReACWNjwmvpGTJBf

UAYBYuZxroVipHehWhb

nrzmdiZXmh

ulwNlUyxAZlJn

EeUVlonbKIievsTfSG

edzbXVHymOu

tHKBwwpIYGl

Advertisement