SElinux: allow httpd to connect to a specific port

Solution 1:

By default, the SELinux policy will only allow services access to recognized ports associated with those services:

# semanage port -l | egrep '(^http_port_t|6379)'
http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000
# curl http://localhost/redis.php
Cannot connect to redis server.

- add Redis port (6379) to SELinux policy

# semanage port -a -t http_port_t -p tcp 6379
# semanage port -l | egrep '(^http_port_t|6379)'
http_port_t                    tcp      6379, 80, 81, 443, 488, 8008, 8009, 8443, 9000
# curl http://localhost/redis.php
Connected successfully.

You can also install setroubleshoot-server RPM and run: sealert -a /var/log/audit/audit.log - it will give you a nice report with useful suggestions (including command above).

PHP script to test connection:

# cat redis.php 
<?php

$redis=new Redis();
$connected= $redis->connect('127.0.0.1', 6379);

if(!$connected) {
        die( "Cannot connect to redis server.\n" );
}

echo "Connected successfully.\n";

?>

Solution 2:

You may need to use

semanage port -m -t http_port_t -p tcp 6379

If semanage is missing then add the package policycoreutils-python

yum install policycoreutils-python

Solution 3:

You could temporary put selinux in permissive mode and let httpd connect to redis, then generate and build a custom policy module using audit2allow