5

I having a rather persistent issue with my Redis instance. While SELinux is in enforcing mode, Redis server is unable to start:

[root@server ~]# service redis start Starting redis-server: [ OK ]

But in fact, it did not start as shown by lsof. It returns no result:

[root@server ~]# lsof -i :6379

To futher confirm the it is not running, there is a redis log:

[5539] 21 Nov 03:44:34 # Opening port 6379: bind: Permission denied

Now, I am pretty new with SELinux managing so, please bear with me as I might have missed something. This is what I was able to see:

[root@server ~]# semanage port -l | grep "redis" redis_port_t tcp 6379 [root@server ~]# semanage user -l SELinux User Prefix MCS Level MCS Range SELinux Roles .... redis user s0 s0 user_r ....

The above redis user did not exist initially, but I tried adding it as redis-server really runs under it. That did not help...

Just to note, Redis server is used internally, so it listens only to 127.0.0.1:6379.

Does anyone have any ideas?

For the time being, I can put SELinux in permissive mode, but I would really like to tighten it up and do it "by-the-book".

UPDATE:

[root@server ~]# ausearch -ts recent -m avc ---- time->Thu Nov 24 13:48:13 2016 type=SYSCALL msg=audit(1480013293.595:34717): arch=c000003e syscall=49 success=no exit=-13 a0=4 a1=7ffea866c0f0 a2=10 a3=7ffea866be50 items=0 ppid=1 pid=16468 auid=0 uid=495 gid=495 euid=495 suid=495 fsuid=495 egid=495 sgid=495 fsgid=495 tty=(none) ses=5202 comm="redis-server" exe="/usr/sbin/redis-server" subj=unconfined_u:system_r:redis_t:s0 key=(null) type=AVC msg=audit(1480013293.595:34717): avc: denied { name_bind } for pid=16468 comm="redis-server" src=6379 scontext=unconfined_u:system_r:redis_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket

UPDATE(2)

[root@server ~]# rpm -qa | grep -i redis redis-2.4.10-1.el6.x86_64 php56w-pecl-redis-2.2.7-1.w6.x86_64

SOLUTION:

Following @Matthew's suggestion, I started analyzing the redis_port_t and http_port_t:

[root@server ~]# semanage port -l | grep "redis_port_t" redis_port_t tcp 6379 [root@server ~]# semanage port -l | grep "http_port_t" http_port_t tcp 6379, 80, 81, 443, 488, 8008, 8009, 8443, 9000

And there it was! The port 6379 was added to both of port policies! And yes, I know remember doing this when I started the migration :( (shame on me).

So, running this fixed the issue:

semanage port -d -t http_port_t 6379 semanage permissive -d redis_t // I don't need this anymore service redis restart lsof -i :6379

And there it was :)

redis-ser 4575 redis 4u IPv4 236174 0t0 TCP localhost:6379 (LISTEN)
Improve this question
15
  • Have you tried installing redis_selinux? Also which linux are we talking about? Commented Nov 23, 2016 at 15:11
  • 1
    This page might be able to provide more help/clues about that redis_selinux RPM... Commented Nov 24, 2016 at 5:07
  • 1
    Can you duplicate the fault again then run after: ausearch -ts recent -m avc then edit the answer with the result? Commented Nov 24, 2016 at 10:38
  • 1
    You are not using the CentOS-provided redis packages, right? Please post the output of rpm -qa | grep -i redis Commented Nov 24, 2016 at 21:51
  • 1
    You should have gone with C7 in the beginning. It's a bad idea to start new projects on old OSes. Commented Nov 24, 2016 at 23:14

1 Answer 1

Reset to default
4
+50

I think theres something odd going on in that policy of yours.

If you check the audit logs, it says whilst the SELinux source context is correctly labelled as redis_t the target context is labelled as http_port_t. This is despite what your policy says, that it should be redis_port_t.

This means whats in the kernel and whats in policy dont match. The port is still 6379 though.

You may want to check what you have configured for your http_port_t as well as your redis_port_t. As far as I understand, port policy bindings can only have one label per port/protocol, so I suspect whats in your policy store does not reflect whats in your server presently.

You may want to try doing a semodule -B to rebuild and reload your policy to try to fix the synchronization problem.

If no luck, search whats in the port listings for http_port_t and update the question.

Improve this answer
1
  • Right in the spot!!! :D I am going to update the question with resolution steps for anyone who stumbles onto this :) THANKS A LOT! :) Commented Nov 25, 2016 at 20:53

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.