2

I have a small web server (CentOS 8) that runs a small php & mysql app. It also runs runs Nagios, BIND, and Postfix running as a secondary MX.

Everything seems to "work", and I've never noticed any problems. I'm able to load Nagios and the other php app over port 443. If I load the URLs over port http / port 80, Apache is configured to redirect to 443, and does that equally well.

However, selinux routinely logs the following AVC, indicating some issue on port 80:

time->Sat Dec 12 01:55:16 2020
type=AVC msg=audit(1607756116.608:1381369): avc:  denied  { name_connect } for  pid=631936 comm="httpd" dest=80 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0

Looking at /var/log/httpd/error_log, I see a corresponding Permission Denied for the same pid at the same time:

[Sat Dec 12 01:55:16.608941 2020] [core:warn] [pid 631936] (13)Permission denied: AH00056: connect to listener on [::]:80

Is there a way for me to track down, what exactly, Apache is trying to do that is getting blocked? As I mentioned, nothing seems to be broken, so I haven't tried to build a module to allow this. But I'd like to find the root cause of the AVC denied message here, and either:

  • Allow it if it is harmless and should actually be allowed, OR
  • Configure Apache to stop trying to do whatever it is that it is trying to do
David W
  • 3,405
  • 5
  • 34
  • 61

1 Answers1

3

The connection being made here is Apache connecting back to itself: these are logged as an internal dummy connection and are Apache's way of waking up its child processes.

By default SELinux doesn't allow the web server to make outbound network connections. Several booleans will change this behavior, but probably the one you want to use to fix this is httpd_graceful_shutdown as that allows Apache to connect to any TCP port labeled http_port_t (80, 81, 443, 488, 8008, 8009, 8443, 9000), and nothing else. As the name suggests this makes Apache's shutdown not throw spurious warnings, as it also wants to connect to itself when shutting down. It will also get rid of the instant problem and allow the internal dummy connection.

setsebool -P httpd_graceful_shutdown 1
Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • `cat /var/log/audit/audit.log | audit2allow` does show that as a valid option. I should have looked at `audit2allow` before opening this question, although your explanation answers the questions I still would have had after doing that! Thank you. – David W Dec 12 '20 at 16:04