<\/p>\n
I\u2019m trying to live with the
\nbenefits of SELinux <\/b>instead of disabling it every time I discover find it
\ndisallows the action I\u2019m trying. I am testing a demo version of an application
\nI\u2019m thinking about using on my Radio Blog <\/b>that allows users to make
\nrequests and dedications. I\u2019m testing it on one of my other Linux backup systems
\nnot published to the public of course.<\/p>\n
Oh today I don\u2019t feel like using
\nspecific ports and application names since I don\u2019t know if I will used the
\napplication. I still have a bit more testing and configuring to do with this
\napplication.<\/p>\n
The requests mechanism is HTTP<\/b> generated
\nand uses a specific port. Well using Webmin<\/b> tool I believe I successfully
\nadded a rule allowing for this port to be accessed. The issue now that I\u2019m
\nwriting about it may be in the functions of the application itself.<\/p>\n
A bit of background: The application runs on
\nWindows with a MySQL<\/b> database instance on that Windows system. I have
\nanother MySQL<\/b> database instance running on my Linux web server system
\nthat gets the updates via a utility from the other MySQL<\/b> instance on the
\nWindows system. That works fine and the information on the two MySQL<\/b>
\ninstances is identical and my Linux web server can access its local MySQL<\/b>
\ninstance to draw its information to run the website. I also have some PHP<\/b>
\nfiles I ftp\u2019d over to my Linux system that runs my PHP<\/b> generated web site
\nand performs various functions such as the HTTP<\/b> requests and dedications.<\/p>\n
The request and dedications via HTTP<\/b> are
\nthe issue here and wait to be received via \u201cthe request line port\u201d<\/b> on my
\nWindows server that runs the application. Well I kept getting permission denied
\nerrors when trying to make requests. I confirmed that this port was open on my
\nrouter, that it showed with \u201cnetstat\u201d as listening on that port on the Windows
\nsystem waiting to hear the request. I was even able to successfully telnet to
\n\u201cthe request line port\u201d<\/b> on that system. I then went and looked at where the
\nrequest would be coming from, my Linux Web Server, and insured it had
\npermissions in the allow file of the application from the LAN (both NIC\u2019s) and
\nthe WAN. The WAN I knew worked since the alternative method of asking for
\nrequest worked fine from another source on the WAN.<\/p>\n
<\/p>\n
So now the issue was what is blocking the
\nrequests from my Linux system! Well I started looking around and of course the
\nrequests go through just fine with SELinux<\/b> in permissive mode or
\ndisabled. I had the \u201cthe request line port\u201d<\/b> enabled but then I started
\nthinking what if the request which are handled via a PHP file aren\u2019t going out
\nvia \u201cthe request line port\u201d<\/b>! <\/p>\n
Plus the fact that the
\n\u201csystem-config-securitylevel\u201d<\/b> utility didn\u2019t allow me to add that port the
\nsame way I added the port for MySQL. I believe this is because that port is not
\nlistening or running any application on my Linux server and mysql is running on
\nmy Linux system.<\/p>\n
So now I\u2019m completely up against it I cannot
\nadd the port and the policies I added in SELinux<\/b> via Webmin for that
\n\u201cthe request line port\u201d<\/b> is not having any affect. Then considering that the
\n\u201cthe request line port\u201d<\/b> may not be applicable from my Linux web server
\nand using a totally different port I started looking at the other SELinux<\/b>
\npolicy settings in the \u201csystem-config-securitylevel\u201d<\/b> utility. Since this
\nwas an HTTP<\/b> request looked in the \u201cHTTPD Service\u201d<\/b> section where I
\nchecked \u201cAllow HTTPD scripts and modules to connect to the network\u201d<\/b> and
\nnow all my requests work!<\/p>\n
<\/p>\n
What does this mean? The PHP requests may go to
\n\u201cthe request line port\u201d<\/b> the Windows system where the application resides
\nbut from the requesting system which will always be where the web server resides
\nit doesn\u2019t use the \u201cthe request line port\u201d<\/b>. In the SELinux<\/b> policy
\nsettings I have to I checked \u201cAllow HTTPD scripts and modules to connect to
\nthe network\u201d<\/b> to allow request to propagate from the Linux web server.<\/p>\n","protected":false},"excerpt":{"rendered":"
I\u2019m trying to live with the benefits of SELinux instead of disabling it every time I discover find it disallows the action I\u2019m trying. I am testing a demo version of an application I\u2019m thinking about using on my … Continue reading