Create custom SELinux Policy

Problem: The apche httpd cannot connect to tomcat running on port 8009 with AJP protocol.


curl localhost returns 503

curl localhost
<title>503 Service Unavailable</title>
<h1>Service Unavailable</h1>
<p>The server is temporarily unable to service your
request due to maintenance downtime or capacity
problems. Please try again later.</p>

There is Permission denied: AH00957 in apache httpd (ssl)_error_log

sudo cat /var/log/httpd/error_log
[Wed Feb 15 16:24:38.140421 2023] [proxy:error] [pid 10679:tid 10824] (13)Permission denied: AH00957: AJP: attempt to connect to ( failed[Wed Feb 15 16:24:38.140455 2023] [proxy:error] [pid 10679:tid 10824] AH00959: ap_proxy_connect_backend disabling worker for ( for 60s[Wed Feb 15 16:24:38.140458 2023] [proxy_ajp:error] [pid 10679:tid 10824] [client] AH00896: failed to make connection to backend:

Remedy (1)

sudo setsebool -P httpd_can_network_connect 1

Remedy (2)

Create custom SELinux policy, let generate type enforcement file

sudo grep http /var/log/audit/audit.log | grep denied | audit2allow -m httplocalconf > httplocalconf.te

Edit generated type enforcement httplocalconf.te file

module httplocalconf 1.0;

require {
        type httpd_t;
        type http_port_t;
        class tcp_socket name_connect;
        class file read;

#============= httpd_t ==============

#!!!! This avc can be allowed using one of the these booleans:
#     httpd_can_network_connect, httpd_graceful_shutdown, httpd_can_network_relay, nis_enabled
allow httpd_t http_port_t:tcp_socket name_connect;

Convert it to policy module

checkmodule -M -m -o httplocalconf.mod httplocalconf.te

Compile new  policy

semodule_package -o httplocalconf.pp -m httplocalconf.mod

Install new policy

sudo semodule -i httplocalconf.pp


How to create its own custom SELinux policy module wisely

How to read and correct SELinux denial messages

Chapter 5. Troubleshooting problems related to SELinux

Schreibe einen Kommentar