Ping a Specific Port

Question

krisdigitx

Asked: 2012-12-03 06:41:14 +0800 CST2012-12-03 06:41:14 +0800 CST 2012-12-03 06:41:14 +0800 CST

selinux permissive and type targeted

772

i am running centos 6.2

recently i noticed that apache was running with selinux enabled

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=Permissive
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

i noticed that these errors were coming on dmesg

type=1400 audit(1354453732.704:9056368): avc:  denied  { name_connect } for  pid=39006 comm="httpd" dest=11211 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket
type=1400 audit(1354453735.777:9056369): avc:  denied  { name_connect } for  pid=39046 comm="httpd" dest=6379 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

i then enabled

 /usr/sbin/setsebool httpd_can_network_connect=1

and this stopped the errors and also the webpages started to work.

My question is if selinux is in permissive mode will selinuxtype=targeted enforce any polices?

if not how did it solve the problem with apache as selinux was already in permissive mode?

2 Answers

Voted

John · Answer 1 · 2012-12-05T09:49:15+08:00

Best Answer

John

2012-12-05T09:49:15+08:002012-12-05T09:49:15+08:00

In permissive mode, SElinux will log items which would have resulted in denial of access in enforcing mode, but will not actually deny those actions. So no, it will not enforce policies in permissive mode, but it will consult those policies. Had you been in enforcing mode, you would not have been able to start/use httpd until you issued the setsebool command since the link between it and a network connection would have been prevented by SELinux.

2

Napster_X · Answer 2 · 2012-12-05T09:58:27+08:00

Napster_X

2012-12-05T09:58:27+08:002012-12-05T09:58:27+08:00

As already answered by John, SELinux just logs the errors, instead of blocking services.

We use SElinux in scenarios where we would like to test things before deploying them into the production and would like to understand what all could went wrong.

Though you can test the same in production also, and keep fixing the policies until the time you are sure that everything is in place and later on change the mode to targeted.

0

selinux permissive and type targeted

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?