SELinux and Apache
A problem occured as I tried to start apache on our new RedHat system.
/etc/init.d/httpd start (13)Permission denied: make_sock: could not bind to address [::]:10080 no listening sockets available, shutting down Unable to open logs
This problem came up after I’ve add “Listen 10080” to the apache configuration file httpd.conf. After a look into /var/log/messages and some research on google I found out that the problem was SELinux. A security system implementation considerably developed by the NSA and RedHat.
grep httpd /var/log/messages Sep 1 20:21:39 kernel: audit(1157160099.715:11): avc: denied { name_bind } for pid=3058 comm="httpd" src=10080 scontext=root:system_r:httpd_t tcontext=system_u:object_r:port_t tclass=tcp_socket
I found some good articles [1], [2] about SELinux, but there was no easy howto for add a security policy that allows apache to use other ports than 80 and 8080.
Now, we will customize Apache for listen on port 10080 and 20080.
If you’ll find no directory /etc/selinux/targeted/src in your RedHat installation, you have to install the selinux sources:
up2date -i selinux-policy-targeted-sources
Afterwards create the file /etc/selinux/targeted/src/policy/domains/misc/local.te and add the line
allow httpd_t port_t:tcp_socket name_bind;
This allows apache to use the name_bind command for every port. A more restricted way is to use /etc/selinux/targeted/src/policy/net_contexts. This way let you approve or disapprove the usage for every port (e.g. portcon tcp 10080 system_u:object_r:http_port_t).
The difference between both is that changes in local.te will survive updates and changes in net_context won’t. [3] If you finished configuration changes you have to compile, install and load your new rules:
cd /etc/selinux/targeted/src/policy make load
Links
- Regel-Praxis by Carsten Grohmann (german)
- Writing SE Linux policy HOWTO by Faye Coker (english)
- Re: httpd fails to start with latest policy by Stephen Smalley (english)
