I’m trying to live with the benefits of SELinux instead of disabling it every time I discover find it disallows the action I’m trying. I am testing a demo version of an application I’m thinking about using on my Radio Blog that allows users to make requests and dedications. I’m testing it on one of my other Linux backup systems not published to the public of course.
Oh today I don’t feel like using specific ports and application names since I don’t know if I will used the application. I still have a bit more testing and configuring to do with this application.
The requests mechanism is HTTP generated and uses a specific port. Well using Webmin tool I believe I successfully added a rule allowing for this port to be accessed. The issue now that I’m writing about it may be in the functions of the application itself.
A bit of background: The application runs on Windows with a MySQL database instance on that Windows system. I have another MySQL database instance running on my Linux web server system that gets the updates via a utility from the other MySQL instance on the Windows system. That works fine and the information on the two MySQL instances is identical and my Linux web server can access its local MySQL instance to draw its information to run the website. I also have some PHP files I ftp’d over to my Linux system that runs my PHP generated web site and performs various functions such as the HTTP requests and dedications.
The request and dedications via HTTP are the issue here and wait to be received via “the request line port” on my Windows server that runs the application. Well I kept getting permission denied errors when trying to make requests. I confirmed that this port was open on my router, that it showed with “netstat” as listening on that port on the Windows system waiting to hear the request. I was even able to successfully telnet to “the request line port” on that system. I then went and looked at where the request would be coming from, my Linux Web Server, and insured it had permissions in the allow file of the application from the LAN (both NIC’s) and the WAN. The WAN I knew worked since the alternative method of asking for request worked fine from another source on the WAN.
So now the issue was what is blocking the requests from my Linux system! Well I started looking around and of course the requests go through just fine with SELinux in permissive mode or disabled. I had the “the request line port” enabled but then I started thinking what if the request which are handled via a PHP file aren’t going out via “the request line port”!
Plus the fact that the “system-config-securitylevel” utility didn’t allow me to add that port the same way I added the port for MySQL. I believe this is because that port is not listening or running any application on my Linux server and mysql is running on my Linux system.
So now I’m completely up against it I cannot add the port and the policies I added in SELinux via Webmin for that “the request line port” is not having any affect. Then considering that the “the request line port” may not be applicable from my Linux web server and using a totally different port I started looking at the other SELinux policy settings in the “system-config-securitylevel” utility. Since this was an HTTP request looked in the “HTTPD Service” section where I checked “Allow HTTPD scripts and modules to connect to the network” and now all my requests work!
What does this mean? The PHP requests may go to “the request line port” the Windows system where the application resides but from the requesting system which will always be where the web server resides it doesn’t use the “the request line port”. In the SELinux policy settings I have to I checked “Allow HTTPD scripts and modules to connect to the network” to allow request to propagate from the Linux web server.
