Problem: The apche httpd cannot connect to tomcat running on port 8009 with AJP protocol.
Detection
curl localhost returns 503
curl localhost<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>503 Service Unavailable</title>
</head><body>
<h1>Service Unavailable</h1>
<p>The server is temporarily unable to service your
request due to maintenance downtime or capacity
problems. Please try again later.</p>
</body></html>There is Permission denied: AH00957 in apache httpd (ssl)_error_log
sudo cat /var/log/httpd/error_log[Wed Feb 15 16:24:38.140421 2023] [proxy:error] [pid 10679:tid 10824] (13)Permission denied: AH00957: AJP: attempt to connect to 127.0.0.1:8009 (127.0.0.1) failed[Wed Feb 15 16:24:38.140455 2023] [proxy:error] [pid 10679:tid 10824] AH00959: ap_proxy_connect_backend disabling worker for (127.0.0.1) for 60s[Wed Feb 15 16:24:38.140458 2023] [proxy_ajp:error] [pid 10679:tid 10824] [client 127.0.0.1:36812] AH00896: failed to make connection to backend: 127.0.0.1
Remedy (1)
sudo setsebool -P httpd_can_network_connect 1Remedy (2)
Create custom SELinux policy, let generate type enforcement file
sudo grep http /var/log/audit/audit.log | grep denied | audit2allow -m httplocalconf > httplocalconf.teEdit generated type enforcement httplocalconf.te file
module httplocalconf 1.0;
require {
type httpd_t;
type http_port_t;
class tcp_socket name_connect;
class file read;
}
#============= httpd_t ==============
#!!!! This avc can be allowed using one of the these booleans:
# httpd_can_network_connect, httpd_graceful_shutdown, httpd_can_network_relay, nis_enabled
allow httpd_t http_port_t:tcp_socket name_connect;Convert it to policy module
checkmodule -M -m -o httplocalconf.mod httplocalconf.teCompile new policy
semodule_package -o httplocalconf.pp -m httplocalconf.modInstall new policy
sudo semodule -i httplocalconf.ppLinks
How to create its own custom SELinux policy module wisely