SElinux: allow httpd to connect to a specific port

apache-2.2 redhat redis selinux

Solution 1:

By default, the SELinux policy will only allow services access to recognized ports associated with those services:

# semanage port -l | egrep '(^http_port_t|6379)'
http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000
# curl http://localhost/redis.php
Cannot connect to redis server.

- add Redis port (6379) to SELinux policy

# semanage port -a -t http_port_t -p tcp 6379
# semanage port -l | egrep '(^http_port_t|6379)'
http_port_t                    tcp      6379, 80, 81, 443, 488, 8008, 8009, 8443, 9000
# curl http://localhost/redis.php
Connected successfully.

You can also install setroubleshoot-server RPM and run: sealert -a /var/log/audit/audit.log - it will give you a nice report with useful suggestions (including command above).

PHP script to test connection:

# cat redis.php 
<?php

$redis=new Redis();
$connected= $redis->connect('127.0.0.1', 6379);

if(!$connected) {
        die( "Cannot connect to redis server.\n" );
}

echo "Connected successfully.\n";

?>

Solution 2:

You may need to use

semanage port -m -t http_port_t -p tcp 6379

If semanage is missing then add the package policycoreutils-python

yum install policycoreutils-python

Solution 3:

You could temporary put selinux in permissive mode and let httpd connect to redis, then generate and build a custom policy module using audit2allow

Related

How long does negative DNS caching typically last?
Ubuntu Linux - multiple NICs, same LAN... ARP responses always go out a single NIC
Do background processes get a SIGHUP when logging off?
Allowing FTP with IPTables
What is the problem with using Fedora for servers?
SSL password on apache2 restart
Sell partitioning to me
How to collect bounces in postfix
How should I setup separate MX records for a subdomain?
What does Silence do?
Unable to join online games of Among Us due to Parental Controls that were never set up?
Can I join Xbox players on PC in Stardew Valley?