December 12th, 2006

I want my apache daemon to listen on a different port but SELinux is preventing it, What do I do?

In Fedora Core 5/6 and RHEL 5. We have made it easier to customize certain common parts of SELinux. In previous releases of SELinux if you wanted to change simple things like which port a daemon could listen to, you would need to write policy. Now we have the semanage utility.

SELinux assigns types to all network ports on a system. By default all ports are less then 1024 are labeled reserved_port_t and all ports > 1024 are labeled port_t. If a port is assigned to a particular type
say the http port 80, it has an assigned type of http_port_t. If you want to look at all the assigned ports in SELinux, you can use the semanage tool, semanage port -l.

So if you executed

semanage port -l | grep http
http_cache_port_t tcp 3128, 8080, 8118
http_cache_port_t udp 3130
http_port_t tcp 80, 443, 488, 8008, 8009, 8443
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989

Here we see http_port_t is assigned to ports 80, 443, 488, 8008, 8009, 8443

The policy is written to allow httpd_t http_port_t:tcp_socket name_bind;

This means the apache command can "bind" to an port that is labeled http_port_t.

So lets say you want to run httpd on port 81.

So you edit /etc/httpd/http.conf

and change this line
Listen 80
to
Listen 81


Now restart the daemon.
service httpd restart
Stopping httpd: [ OK ]
Starting httpd: (13)Permission denied: make_sock: could not bind to address [::]:81
(13)Permission denied: make_sock: could not bind to address 0.0.0.0:81
no listening sockets available, shutting down
Unable to open logs
[FAILED]

Now the daemon fails to start because it can not bind to port 81.

This generates an AVC that looks like

----
time->Tue Dec 12 17:37:49 2006
type=SYSCALL msg=audit(1165963069.248:852): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bf96a830 a2=b5b1e8 a3=9e58b68 items=0 ppid=21133 pid=21134 auid=3267 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts10 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1165963069.248:852): avc: denied { name_bind } for pid=21134 comm="httpd" src=81 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket

To fix this you can use semanage to add the port

semanage port -a -t http_port_t -p tcp 81

service httpd start
Starting httpd: [ OK ]


BTW setroubleshoot reported

Dec 12 17:37:51 localhost setroubleshoot: SELinux is preventing the /usr/sbin/httpd (httpd_t) from binding to port 81. For complete SELinux messages. run sealert -l a666076c-b050-4bed-ba88-38bc37681214

And running
sealert -H -l a666076c-b050-4bed-ba88-38bc37681214

Summary

SELinux is preventing the /usr/sbin/httpd (httpd_t) from binding to port 81.

Detailed Description

SELinux has denied the /usr/sbin/httpd from binding to a network port 81 which does not have an SELinux type associated with it. If /usr/sbin/httpd is supposed to be allowed to listen on this port, you can use the semanage command to add this port to a port type that httpd_t can bind to. semanage port -L will list all port types. Please file a bug report against the selinux-policy package. If /usr/sbin/httpd is not supposed to bind to this port, this could signal a intrusion attempt.

Allowing Access

If you want to allow /usr/sbin/httpd to bind to this port semanage port -a -t PORT_TYPE 81 Where PORT_TYPE is a type that httpd_t can bind.

Additional Information


Source Context:  user_u:system_r:httpd_t
Target Context:  system_u:object_r:reserved_port_t
Target Objects:  None [ tcp_socket ]
Affected RPM Packages:  httpd-2.2.3-6.el5 [application]
Policy RPM:  selinux-policy-2.4.6-9.el5
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  plugins.bind_ports
Host Name:  localhost.localdomain
Platform:  Linux localhost.localdomain 2.6.18-1.2747.el5 #1 SMP Thu Nov 9 18:55:30 EST 2006 i686 i686
Alert Count:  2
Line Numbers:   

Raw Audit Messages
:

avc: denied { name_bind } for comm="httpd" egid=0 euid=0 exe="/usr/sbin/httpd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=21134 scontext=user_u:system_r:httpd_t:s0 sgid=0 src=81 subj=user_u:system_r:httpd_t:s0 suid=0 tclass=tcp_socket tcontext=system_u:object_r:reserved_port_t:s0 tty=pts10 uid=0