8.2.2. How are Confined Services Running?
Services can be run in a variety of ways. To cater for this, you must tell SELinux how you are running services. This can be achieved via Booleans that allow parts of SELinux policy to be changed at runtime, without any knowledge of SELinux policy writing. This allows changes, such as allowing services access to NFS volumes, without reloading or recompiling SELinux policy. Also, running services on non-default port numbers requires policy configuration to be updated via the
semanage
command.
For example, to allow the Apache HTTP Server to communicate with MySQL, enable the
httpd_can_network_connect_db
Boolean:
~]# setsebool -P httpd_can_network_connect_db on
If access is denied for a particular service, use the
getsebool
and grep
commands to see if any Booleans are available to allow access. For example, use the getsebool -a | grep ftp
command to search for FTP related Booleans:
~]$ getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> off
ftpd_connect_db --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
For a list of Booleans and whether they are on or off, run the
getsebool -a
command. For a list of Booleans, an explanation of what each one is, and whether they are on or off, run the semanage boolean -l
command as the Linux root user. Refer to Section 5.5, “Booleans” for information about listing and configuring Booleans.
Port Numbers
Depending on policy configuration, services may only be allowed to run on certain port numbers. Attempting to change the port a service runs on without changing policy may result in the service failing to start. For example, run the
semanage port -l | grep http
command as the Linux root user to list http
related ports:
~]# semanage port -l | grep http
http_cache_port_t tcp 3128, 8080, 8118
http_cache_port_t udp 3130
http_port_t tcp 80, 443, 488, 8008, 8009, 8443
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989
The
http_port_t
port type defines the ports Apache HTTP Server can listen on, which in this case, are TCP ports 80, 443, 488, 8008, 8009, and 8443. If an administrator configures httpd.conf
so that httpd
listens on port 9876 (Listen 9876
), but policy is not updated to reflect this, the service httpd start
command fails:
~]# service httpd start
Starting httpd: (13)Permission denied: make_sock: could not bind to address [::]:9876
(13)Permission denied: make_sock: could not bind to address 0.0.0.0:9876
no listening sockets available, shutting down
Unable to open logs
[FAILED]
An SELinux denial similar to the following is logged to
/var/log/audit/audit.log
:
type=AVC msg=audit(1225948455.061:294): avc: denied { name_bind } for pid=4997 comm="httpd" src=9876 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
To allow
httpd
to listen on a port that is not listed for the http_port_t
port type, run the semanage port
command to add a port to policy configuration[12]:
~]# semanage port -a -t http_port_t -p tcp 9876
The
-a
option adds a new record; the -t
option defines a type; and the -p
option defines a protocol. The last argument is the port number to add.
[12]
The
semanage port -a
command adds an entry to the /etc/selinux/targeted/modules/active/ports.local
file. Note that by default, this file can only be viewed by the Linux root user.