0

i have a problem with selinux enabled (set to enforcing) on our new RHEL-9 machine. We use there apache webserver (httpd) and ZeroMQ. In our custom apache *.conf file we load a module for ZeroMQ.

With selinux enabled (enforcing) the communication will not work, because selinux seems to block loading the module or the communication.

In our custom apache config there is the following configuration:

LoadModule redirect_module $(PROG_MESSAGEQUEUE)/libmod_redirect.so

<Location "/auth">
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
RequestHeader set X-Forwarded-Host "$(HOST_ADDRESS)"
ZMQRedirectAddress tcp://127.0.0.1:2417
</Location>

So the ZeroMQ MessageQueue runs on the same system and service is running. A look inside the apache error_log shows that there seems to be a problem with our loaded module libmod_redirect.so.

I set selinux to mode permissive and communication now works / module will be loaded. But i'm very new to selinux and don't know how to fix that problem? So what must i do to get that working with selinux fully enabled (enforcing)?

Opa114
  • 123

1 Answers1

1

Solved it with the help of @HBruijn.

So enabling selinux boolean httpd_can_network_connect (setsebool -P httpd_can_network_connect) solved the problem. Now the specific httpd-module (*.so file) is loaded and my services fro others servers can connect to the zeromq queue.

Adding the specific port to the the selinux policy did not work (semanage port -a -t http_port_t -p tcp PORT). As i found out adding the port there is only useful if you want that httpd listen on this specific port, too.

Opa114
  • 123