My system is running CentOS 6.4 with apache2.2.15. SElinux is enforcing and I'm trying to connect to a local instance of redis through my python/wsgi app. I get Error 13, Permission denied. I could fix this via the command:
setsebool -P httpd_can_network_connect
However, I don't exactly want httpd to be able to connect to all tcp ports. How can I specify which ports/networks httpd is allowed to connect to? If I could make a module to allow httpd to connect to port 6379 ( redis ) or any tcp on 127.0.0.1, that would be preferable. Not sure why my paranoia is so strong on this, but hey...
Anyone know?
By default, the SELinux policy will only allow services access to recognized ports associated with those services:
- add Redis port (6379) to SELinux policy
You can also install
setroubleshoot-server
RPM and run:sealert -a /var/log/audit/audit.log
- it will give you a nice report with useful suggestions (including command above).PHP script to test connection:
You may need to use
If semanage is missing then add the package policycoreutils-python
You could temporary put selinux in permissive mode and let httpd connect to redis, then generate and build a custom policy module using audit2allow