Apache httpd cannot connect to Tomcat over Unix Domain Socket - SELinux denied

Question

I have an Apache httpd v2.4.57 configured on Rocky9 to connect to Tomcat9 / Java17 over a unix domain socket.

SELinux kicks in and says denied, as follows:

type=AVC msg=audit(1685376249.480:134): avc:  denied  { connectto } for  pid=1769 comm="httpd" path="/run/tomcat-xxx2-yyy/socket" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=unix_stream_socket permissive=0
type=SYSCALL msg=audit(1685376249.480:134): arch=c000003e syscall=42 success=no exit=-13 a0=12 a1=7faa3403a050 a2=27 a3=727461702d746163 items=0 ppid=1767 pid=1769 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=connect AUID="unset" UID="apache" GID="apache" EUID="apache" SUID="apache" FSUID="apache" EGID="apache" SGID="apache" FSGID="apache"
type=PROCTITLE msg=audit(1685376249.480:134): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44002D6600636F6E662F6465766963652D6D61696E2E636F6E66

What, explicitly, must I change in the SELinux configuration, for this to work?

Do I set the context on the socket? Right now the socket context is as follows, but no luck:

[root@swordfish ~]# ls -alZ /run/tomcat-xxx2-yyy/socket 
srw-rw----. 1 fma fma system_u:object_r:httpd_var_run_t:s0 0 May 29 17:56 /run/tomcat-xxx2-yyy/socket

Do I set an selinux boolean? If so, which one, and to what?

Answer 1

With your error message we know that SELinux is blocking the connection from the Apache HTTP server to the Tomcat server, httpd_t (assigned to Apache HTTPD) is not allowed to use a UNIX socket (unix_stream_socket) to connect to the tomcat_t.

Lets create a custom SELinux policy module to allow this operation.

First we use the audit2allow tool to generate a Type Enforcement

grep 'comm="httpd"' /var/log/audit/audit.log | audit2allow -M my_httpd_tomcat

then we can install the policy package

sudo semodule -i my_httpd_tomcat.pp

Another solution would be to use semanage to change the type context of the socket.

sudo semanage fcontext -a -t httpd_unix_stream_connect_t "/run/tomcat-xxx2-yyy/socket"
sudo restorecon -v "/run/tomcat-xxx2-yyy/socket"

Answer 2

The secret ingredient is the audit2why command, which interprets the reason for the denial and suggests the solution, which can then be applied with full knowledge of the ramifications of and side effects of the change.

[root@swordfish ~]# cat /var/log/audit/audit.log | audit2why | less

This revealed this:

type=AVC msg=audit(1685362712.138:110): avc:  denied  { connectto } for  pid=1804 comm="httpd" path="/run/tomcat-xxx2-yyy/so
cket" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=unix_stream_socket permissive=0

        Was caused by:
        The boolean daemons_enable_cluster_mode was set incorrectly. 
        Description:
        Allow daemons to enable cluster mode

        Allow access by executing:
        # setsebool -P daemons_enable_cluster_mode 1

Which in turn recommended the answer to this particular question, which is to do this:

setsebool -P daemons_enable_cluster_mode 1

The above mode takes effect immediately.

Do I set the context on the socket? It is not enough to do so. For a unix domain socket, the context of the process (in this case tomcat) is also taken into account as well as the context of the socket file.

The boolean "daemons_enable_cluster_mode" enables a built in SELinux policy that allows daemons to talk to each other.