10.10.2.2. How are Confined Services Running?
Services can be run in a variety of ways. To cater for this, you need to specify how you run your services. This can be achieved via Booleans that allow parts of SELinux policy to be changed at runtime, without any knowledge of SELinux policy writing. This allows changes, such as allowing services access to NFS volumes, without reloading or recompiling SELinux policy. Also, running services on non-default port numbers requires policy configuration to be updated via the semanage
command.
For example, to allow the Apache HTTP Server to communicate with MariaDB, enable the httpd_can_network_connect_db
Boolean:
~]#
setsebool -P httpd_can_network_connect_db on
If access is denied for a particular service, use the getsebool
and grep
utilities to see if any Booleans are available to allow access. For example, use the getsebool -a | grep ftp
command to search for FTP related Booleans:
~]$
getsebool -a | grep ftp
ftpd_anon_write --> off
ftpd_full_access --> off
ftpd_use_cifs --> off
ftpd_use_nfs --> off
ftp_home_dir --> off
ftpd_connect_db --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
For a list of Booleans and whether they are on or off, run the
getsebool -a
command. For a list of Booleans, an explanation of what each one is, and whether they are on or off, run the
semanage boolean -l
command as root. Refer to
Section 10.4.5, “Booleans” for information about listing and configuring Booleans.
Port Numbers
Depending on policy configuration, services may only be allowed to run on certain port numbers. Attempting to change the port a service runs on without changing policy may result in the service failing to start. For example, run the semanage port -l | grep http
command as root to list http
related ports:
~]#
semanage port -l | grep http
http_cache_port_t tcp 3128, 8080, 8118
http_cache_port_t udp 3130
http_port_t tcp 80, 443, 488, 8008, 8009, 8443
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989
The http_port_t
port type defines the ports Apache HTTP Server can listen on, which in this case, are TCP ports 80, 443, 488, 8008, 8009, and 8443. If an administrator configures httpd.conf
so that httpd
listens on port 9876 (Listen 9876
), but policy is not updated to reflect this, the following command fails:
~]#
systemctl start httpd.service
Job for httpd.service failed. See 'systemctl status httpd.service' and 'journalctl -xn' for details.
~]#
systemctl status httpd.service
httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
Active: failed (Result: exit-code) since Thu 2013-08-15 09:57:05 CEST; 59s ago
Process: 16874 ExecStop=/usr/sbin/httpd $OPTIONS -k graceful-stop (code=exited, status=0/SUCCESS)
Process: 16870 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
An SELinux denial message similar to the following is logged to /var/log/audit/audit.log
:
type=AVC msg=audit(1225948455.061:294): avc: denied { name_bind } for pid=4997 comm="httpd" src=9876 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
To allow
httpd
to listen on a port that is not listed for the
http_port_t
port type, run the
semanage port
command to add a port to policy configuration
:
~]#
semanage port -a -t http_port_t -p tcp 9876
The -a
option adds a new record; the -t
option defines a type; and the -p
option defines a protocol. The last argument is the port number to add.