A problem occurs as I tried to start apache on our new RedHat system.
# /etc/init.d/httpd start (13)Permission denied: make_sock: could not bind to address [::]:10080 no listening sockets available, shutting down Unable to open logs
This problem cames up after I add “Listen 10080” to the apache configuration file httpd.conf. After a look into /var/log/messages and some research on google I found out that the problem was SELinux. A security system implementation considerably developed by the NSA and RedHat.
# grep httpd /var/log/messages
Sep 1 20:21:39 kernel: audit(1157160099.715:11): avc:
denied { name_bind } for pid=3058 comm="httpd"
src=10080 scontext=root:system_r:httpd_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
I found some good articles [1], [2] about SELinux, but there was no easy howto for add a security policy that allows apache to use other ports than 80 and 8080.
Now, we will customize Apache for listen on port 10080 and 20080.
If you’ll find no directory /etc/selinux/targeted/src in your RedHat installation, you have to install the selinux sources:
# up2date -i selinux-policy-targeted-sources
Afterwards create the file /etc/selinux/targeted/src/policy/domains/misc/local.te and add “allow httpd_t port_t:tcp_socket name_bind;” into. This allows apache to use the name_bind command for every port. A more restricted way is to use /etc/selinux/targeted/src/policy/net_contexts. This way let you approve or disapprove the usage for every port (e.g. portcon tcp 10080 system_u:object_r:http_port_t).
The difference between both is that changes in local.te will survive updates and changes in net_context will not. [3]
If you finished configuration changes you have to compile, install and load your new rules:
# cd /etc/selinux/targeted/src/policy # make load
[1] Regel-Praxis by Carsten Grohmann (german)
[2] Writing SE Linux policy HOWTO by Faye Coker (english)
[3] Re: httpd fails to start with latest policy by Stephen Smalley (english)
