I’m trying to live with the
benefits of SELinux instead of disabling it every time I discover find it
disallows the action I’m trying. I am testing a demo version of an application
I’m thinking about using on my Radio Blog that allows users to make
requests and dedications. I’m testing it on one of my other Linux backup systems
not published to the public of course.
Oh today I don’t feel like using
specific ports and application names since I don’t know if I will used the
application. I still have a bit more testing and configuring to do with this
The requests mechanism is HTTP generated
and uses a specific port. Well using Webmin tool I believe I successfully
added a rule allowing for this port to be accessed. The issue now that I’m
writing about it may be in the functions of the application itself.
A bit of background: The application runs on
Windows with a MySQL database instance on that Windows system. I have
another MySQL database instance running on my Linux web server system
that gets the updates via a utility from the other MySQL instance on the
Windows system. That works fine and the information on the two MySQL
instances is identical and my Linux web server can access its local MySQL
instance to draw its information to run the website. I also have some PHP
files I ftp’d over to my Linux system that runs my PHP generated web site
and performs various functions such as the HTTP requests and dedications.
The request and dedications via HTTP are
the issue here and wait to be received via “the request line port” on my
Windows server that runs the application. Well I kept getting permission denied
errors when trying to make requests. I confirmed that this port was open on my
router, that it showed with “netstat” as listening on that port on the Windows
system waiting to hear the request. I was even able to successfully telnet to
“the request line port” on that system. I then went and looked at where the
request would be coming from, my Linux Web Server, and insured it had
permissions in the allow file of the application from the LAN (both NIC’s) and
the WAN. The WAN I knew worked since the alternative method of asking for
request worked fine from another source on the WAN.
So now the issue was what is blocking the
requests from my Linux system! Well I started looking around and of course the
requests go through just fine with SELinux in permissive mode or
disabled. I had the “the request line port” enabled but then I started
thinking what if the request which are handled via a PHP file aren’t going out
via “the request line port”!
Plus the fact that the
“system-config-securitylevel” utility didn’t allow me to add that port the
same way I added the port for MySQL. I believe this is because that port is not
listening or running any application on my Linux server and mysql is running on
my Linux system.
So now I’m completely up against it I cannot
add the port and the policies I added in SELinux via Webmin for that
“the request line port” is not having any affect. Then considering that the
“the request line port” may not be applicable from my Linux web server
and using a totally different port I started looking at the other SELinux
policy settings in the “system-config-securitylevel” utility. Since this
was an HTTP request looked in the “HTTPD Service” section where I
checked “Allow HTTPD scripts and modules to connect to the network” and
now all my requests work!
What does this mean? The PHP requests may go to
“the request line port” the Windows system where the application resides
but from the requesting system which will always be where the web server resides
it doesn’t use the “the request line port”. In the SELinux policy
settings I have to I checked “Allow HTTPD scripts and modules to connect to
the network” to allow request to propagate from the Linux web server.