0

i have a problem with selinux enabled (set to enforcing) on our new RHEL-9 machine. We use there apache webserver (httpd) and ZeroMQ. In our custom apache *.conf file we load a module for ZeroMQ.

With selinux enabled (enforcing) the communication will not work, because selinux seems to block loading the module or the communication.

In our custom apache config there is the following configuration:

LoadModule redirect_module $(PROG_MESSAGEQUEUE)/libmod_redirect.so <Location "/auth"> RequestHeader set X-Forwarded-Proto "https" RequestHeader set X-Forwarded-Port "443" RequestHeader set X-Forwarded-Host "$(HOST_ADDRESS)" ZMQRedirectAddress tcp://127.0.0.1:2417 </Location>

So the ZeroMQ MessageQueue runs on the same system and service is running. A look inside the apache error_log shows that there seems to be a problem with our loaded module libmod_redirect.so.

I set selinux to mode permissive and communication now works / module will be loaded. But i'm very new to selinux and don't know how to fix that problem? So what must i do to get that working with selinux fully enabled (enforcing)?

Improve this question
2
  • 2
    In general: SELinux can log what it blocks and why, which allows you to devise a way to allow it. docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/… Chapter 5. Troubleshooting problems related to SELinux - IN addition I would check if the ZeroMQ module installed it's own SELinux policy and added a SELinux boolean to permit Apache to use it (getsebool -a and/or semanage boolean -l | grep with_suitable_boolean_name_string ) . If not consider serverfault.com/questions/563872/… Commented Apr 29 at 12:28
  • thanks for the link - but adding the port did not solve this, only enabling seboolean httpd_can_network_connect did solve it. Commented May 3 at 8:18

1 Answer 1

Reset to default
1

Solved it with the help of @HBruijn.

So enabling selinux boolean httpd_can_network_connect (setsebool -P httpd_can_network_connect) solved the problem. Now the specific httpd-module (*.so file) is loaded and my services fro others servers can connect to the zeromq queue.

Adding the specific port to the the selinux policy did not work (semanage port -a -t http_port_t -p tcp PORT). As i found out adding the port there is only useful if you want that httpd listen on this specific port, too.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.