2 Replies Latest reply: Jun 20, 2012 9:12 AM by Alessandro Ghezzi RSS

FootPrints Service Core 11 and SELinux

Alessandro Ghezzi

A FootPrints 10.0.2 has been upgraded to 11.0.3.

On the server there is RedHat Enterprise/MySQL and SELinux enabled (enforcing mode)

 

When I tries to access the Executive Dashboard with SELinux enabled (enforcing), I get the following error:

 

"Following error occurred: ServerError: Can't connect to localhost:8080 (connect: Permission denied) (500)

Please try to reload this page"

 

The error is not displayed when SELinux is not enabled.

 

Please note that with SELinux enabled it is possible to open the Tomcat default page on port 8080  (http://localhost:8080)

 

Just to be sure:

 

[root@footprints ~]# semanage port -l|grep http

http_cache_port_t tcp 3128, 8080, 8118, 11211, 10001-10010

http_cache_port_t udp 3130, 11211

http_port_t tcp 80, 443, 488, 8008, 8009, 8443

pegasus_http_port_t tcp 5988

pegasus_https_port_t tcp 5989

[root@footprints ~]#

 

Trying to add 8080 port to http_port_t is not needed:

 

[root@footprints ~]# semanage port -a -t http_port_t -p tcp 8080

/usr/sbin/semanage: Port tcp/8080 already defined

[root@footprints ~]#

 

BMC/Numara support was not able to help me. Does anybody have experience with FootPrints 11 and SELinux?

  • 1. FootPrints Service Core 11 and SELinux
    Michael Santos

    Hi Alessandro,

     

    Unfortunately, no testing has been done against SELinux and is therefore not supported. 

     

    However, I see that you are getting an error connecting to localhost:8080.  Perhaps you should update this to be either the IP address or fully qualified domain name for the FootPrints Service Core server.  To do this, open a terminal prompt to the footprintsservicecore/bin/Utilities/ExecutiveDashboard directory.  Run the following:

     

    /usr/footprints_perl/bin/perl ConfigureTomcat.pl --networkInterface <IP address>

     

    Replace <IP address> with the IP address or fully qualified domain name for the FootPrints Server.  For example:

     

    /usr/footprints_perl/bin/perl ConfigureTomcat.pl --networkInterface 192.168.1.150

     

    Let me know if that helps.

     

    Michael

     

    Michael Santos

    Software Consultant
    BMC Software

  • 2. FootPrints Service Core 11 and SELinux
    Alessandro Ghezzi

    Hi Michael,

     

    thank you for the reply.  It should not be a Tomcat configuration issue because the Executive Dashboard works when SELinux is disabled.

    Also, when SELinux is enabled, it is possibile to connect to the default Tomcat page (localhost:8080) while FootPrints gets the error.

     

    I did other tests, and analyzing the SELinux logs I found the following message:

     

    "type=AVC msg=audit(1340193157.435:43702): avc: denied { name_connect } for pid=4195 comm="MRExecutiveDash" dest=8080 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
    type=SYSCALL msg=audit(1340193157.435:43702): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfc0ebf0 a2=9fecf00 a3=ad4d2e8 items=0 ppid=30787 pid=4195 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="MRExecutiveDash" exe="/usr/local/footprints/footprints_perl/bin/perl" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)"


    When the Enforcing mode is enabled, I get the "Following error occurred: ServerError: Can't connect to localhost:8080 (connect: Permission denied) (500)

    Please try to reload this page" error message and the Dashboard is not show.

    The odd thing is that in the other modes (Permissive/Disable) I found exactly the same message in the SELinux logs, but the Exectuve Dashboard works fine.

     

    I really don't understand...