0

We have a service mapped to the web application.

So, we need to allow 80 port and 16700 for its backend service.

During login, it will connect to this service for authentication and other parts of data.

in firewall, we allow these two using

firewall-cmd --permanent --add-port=16700/tcp firewall-cmd --permanent --add-port=80/tcp

If I disable selinux or set to permissive it is working. If I set enforcing, it is not working.

So, I added below for 80 port. setsebool -P httpd_can_network_connect on

But, it is dailing the login attempt still, because of 16700 port. And adding this 16700 to the http_port_t also doesn't work. semanage port -a -t http_port_t -p tcp 16700

And this 16700 is not there in bool also.

Any suggestion, how to enable this port in selinux?

OS: Redhat 7.4

Uday Kiran Reddy
  • 109
  • 1
  • 2
  • 12

1 Answers1

1

semanage port -a -t http_port_t -p tcp 16700 is the correct action to allow the port in SELinux. If it "doesn't work" then you need to figure out why. Check the error messages you may have received, check the audit log, check the rest of the logs just to be sure.

Of course, you also need to open the port in the firewall, and you don't seem to have done that. You changed the configuration on disk, but not the actual running firewall. Open the port with:

firewall-cmd --add-port=16700/tcp

It's best practice to not use --permanent except for commands which actually require it, such as adding and removing zones. If you make a mistake adding a port, and lock yourself out, you can simply restart the firewall (or the VM) to recover. If you added a wrong rule as a permanent rule, then as soon as the firewall restarts, you will be locked out and have great difficulty recovering. Once you are sure the running firewall works correctly, you can save it with firewall-cmd --runtime-to-permanent.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • I added that port in selinux but still not working. THis port 16700 is not using directly by http, it is used by our application to access. So I think, it should be created on a separate type. But there is no type related to our service. – Uday Kiran Reddy Jun 23 '20 at 13:39
  • @UdayKiranReddy You still need to open the port in the firewall. – Michael Hampton Jun 23 '20 at 13:46
  • Yeah I already done that before also for both 80 and 16700 – Uday Kiran Reddy Jun 23 '20 at 13:52
  • @UdayKiranReddy If you did, it is not present in your question. See above. – Michael Hampton Jun 23 '20 at 13:56
  • It is already present..please check line 5 – Uday Kiran Reddy Jun 23 '20 at 14:40
  • @UdayKiranReddy You did not do it correctly. Read this answer again. – Michael Hampton Jun 23 '20 at 15:04
  • Instead of checking for corrections in the question posted why don't we proceed further friend? And as I told, check line 5. Pasted again for you. firewall-cmd --permanent --add-port=16700/tcp firewall-cmd --permanent --add-port=80/tcp Of course, it got printed on the same line.. But I guess you are not a computer to stuck there and show errors – Uday Kiran Reddy Jun 24 '20 at 15:29
  • I did check that. And I already answered it. I don't understand what is going on here. Why do you not fix the problem? – Michael Hampton Jun 24 '20 at 15:45
  • your answer to add the port to selinux as http port. But it is still having same issue. Because 16700 is not a http port. It is used by background service for authentication, not by webserver. And I did mention that earlier in the question itself. To be frank, you are just telling me to repeat the steps I mentioned already in the question. If you have any other options, please let me know. – Uday Kiran Reddy Jun 24 '20 at 15:55
  • @UdayKiranReddy You also need to fix the firewall. You claim to have done this, but the thing you say you have done is not correct. I explained why it is not correct and how to fix it, so this is what you need to do. – Michael Hampton Jun 24 '20 at 15:58
  • I disabled firewall also to check for this.. – Uday Kiran Reddy Jun 24 '20 at 16:00