5

I having a rather persistent issue with my Redis instance. While SELinux is in enforcing mode, Redis server is unable to start:

[root@server ~]# service redis start
Starting redis-server:                                     [  OK  ]

But in fact, it did not start as shown by lsof. It returns no result:

[root@server ~]# lsof -i :6379

To futher confirm the it is not running, there is a redis log:

[5539] 21 Nov 03:44:34 # Opening port 6379: bind: Permission denied

Now, I am pretty new with SELinux managing so, please bear with me as I might have missed something. This is what I was able to see:

[root@server ~]# semanage port -l | grep "redis"
redis_port_t                   tcp      6379

[root@server ~]# semanage user -l
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles
....
redis           user       s0         s0                             user_r
....

The above redis user did not exist initially, but I tried adding it as redis-server really runs under it. That did not help...

Just to note, Redis server is used internally, so it listens only to 127.0.0.1:6379.

Does anyone have any ideas?

For the time being, I can put SELinux in permissive mode, but I would really like to tighten it up and do it "by-the-book".

UPDATE:

[root@server ~]# ausearch -ts recent -m avc
----
time->Thu Nov 24 13:48:13 2016
type=SYSCALL msg=audit(1480013293.595:34717): arch=c000003e syscall=49 success=no exit=-13 a0=4 a1=7ffea866c0f0 a2=10 a3=7ffea866be50 items=0 ppid=1 pid=16468 auid=0 uid=495 gid=495 euid=495 suid=495 fsuid=495 egid=495 sgid=495 fsgid=495 tty=(none) ses=5202 comm="redis-server" exe="/usr/sbin/redis-server" subj=unconfined_u:system_r:redis_t:s0 key=(null)
type=AVC msg=audit(1480013293.595:34717): avc:  denied  { name_bind } for  pid=16468 comm="redis-server" src=6379 scontext=unconfined_u:system_r:redis_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket

UPDATE(2)

[root@server ~]# rpm -qa | grep -i redis
redis-2.4.10-1.el6.x86_64
php56w-pecl-redis-2.2.7-1.w6.x86_64

SOLUTION:

Following @Matthew's suggestion, I started analyzing the redis_port_t and http_port_t:

[root@server ~]# semanage port -l | grep "redis_port_t"
redis_port_t                   tcp      6379

[root@server ~]# semanage port -l | grep "http_port_t"
http_port_t                    tcp      6379, 80, 81, 443, 488, 8008, 8009, 8443, 9000

And there it was! The port 6379 was added to both of port policies! And yes, I know remember doing this when I started the migration :( (shame on me).

So, running this fixed the issue:

semanage port -d -t http_port_t 6379
semanage permissive -d redis_t // I don't need this anymore
service redis restart
lsof -i :6379

And there it was :)

redis-ser 4575 redis    4u  IPv4 236174      0t0  TCP localhost:6379 (LISTEN)
Jovan Perovic
  • 143
  • 2
  • 3
  • 14
  • Have you tried installing `redis_selinux`? Also which linux are we talking about? – mzhaase Nov 23 '16 at 15:11
  • Hey @mzhaase, thanks for the suggestion. I am running `Centos 6.8`. I cannot seem to find that package via `yum`, should I do it from some third party repo? – Jovan Perovic Nov 23 '16 at 19:15
  • Aham, after a bit digging on it, I found that it is available under `Centos 7` but not under `6`. – Jovan Perovic Nov 23 '16 at 19:18
  • 1
    [This page](http://rpm.pbone.net/index.php3/stat/45/idpl/25775304/numer/8/nazwa/redis_selinux) might be able to provide more help/clues about that `redis_selinux` RPM... – Castaglia Nov 24 '16 at 05:07
  • @Castaglia Thanks a lot! I checked my server for all the `SELinux` domains regarding `Redis` - everything is quite as it should be. Finally, I decided to revert `SELinux` to `enforcing` mode but set `redis_t` to `permissive`. For the time being, that should be ok. – Jovan Perovic Nov 24 '16 at 08:30
  • 1
    Can you duplicate the fault again then run after: `ausearch -ts recent -m avc` then edit the answer with the result? – Matthew Ife Nov 24 '16 at 10:38
  • Hey @MatthewIfe, I have updated the question with the output... Thanks! – Jovan Perovic Nov 24 '16 at 18:49
  • Why have you chosen CentOS 6 for this? – Michael Hampton Nov 24 '16 at 19:03
  • I am currently most familiar with `CentOS 6` but I could have chosen `v7` instead... – Jovan Perovic Nov 24 '16 at 21:40
  • 1
    You are not using the CentOS-provided redis packages, right? Please post the output of `rpm -qa | grep -i redis` – shodanshok Nov 24 '16 at 21:51
  • I actually installed it via `yum`. Updated the question with output. Thanks! :) – Jovan Perovic Nov 24 '16 at 23:10
  • 1
    You should have gone with C7 in the beginning. It's a bad idea to start new projects on old OSes. – Michael Hampton Nov 24 '16 at 23:14
  • That is just it - we are migrating existing project from one VPS provider to another so I wanted minimal changes to be there. But I agree with you regarding the new projects :) @shodanshok You make quite a valid point... the installed version is quite outdated :-/ – Jovan Perovic Nov 24 '16 at 23:16
  • Strange: I tried with a CentOS6 machine and the provided Redis package (2.4.10) and I have no problem starting the server. Does a `yum update` followed by a SELINUX relabel (`touch /.autorelabel; reboot`) fix the error? Note: a full filesystem relabel can take some time, do not run it during peak time. – shodanshok Nov 25 '16 at 06:52
  • @shodanshok I can certainly try that but, as you pointed out, I must wait for next maintenance window :) – Jovan Perovic Nov 25 '16 at 11:25

1 Answers1

4

I think theres something odd going on in that policy of yours.

If you check the audit logs, it says whilst the SELinux source context is correctly labelled as redis_t the target context is labelled as http_port_t. This is despite what your policy says, that it should be redis_port_t.

This means whats in the kernel and whats in policy dont match. The port is still 6379 though.

You may want to check what you have configured for your http_port_t as well as your redis_port_t. As far as I understand, port policy bindings can only have one label per port/protocol, so I suspect whats in your policy store does not reflect whats in your server presently.

You may want to try doing a semodule -B to rebuild and reload your policy to try to fix the synchronization problem.

If no luck, search whats in the port listings for http_port_t and update the question.

Matthew Ife
  • 23,357
  • 3
  • 55
  • 72
  • Right in the spot!!! :D I am going to update the question with resolution steps for anyone who stumbles onto this :) THANKS A LOT! :) – Jovan Perovic Nov 25 '16 at 20:53