Multiple IP addresses with SELinux using the same port

Question

I have a CentOS 7 box with multiple IP address on the same NIC. One IP uses 443 for ssh and I want the other IP to use 443 for the web server. SELinux won't let httpd startup saying:

(13)Permission denied: AH00072: make_sock: could not bind to address MYIPADDRESS:443

I have both services setup to specifically listen on only the relevant IP addresses via Listen arguments in their relevant config files. Before I just turn off SELinux is there a way to allow both? My config SELinux currently looks like:

# semanage port -l | grep 443
http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000
pki_ca_port_t                  tcp      829, 9180, 9701, 9443-9447
pki_kra_port_t                 tcp      10180, 10701, 10443-10446
pki_ocsp_port_t                tcp      11180, 11701, 11443-11446
pki_tks_port_t                 tcp      13180, 13701, 13443-13446
ssh_port_t                     tcp      443, 22

From audit log:

type=AVC msg=audit(1547705364.251:191844): avc: denied { name_bind } for pid=17495 comm="httpd" src=443 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ssh_port_t:s0 tclass=tcp_socket

A TCP port cannot have two types at once. Only one or the other will have effect. Rather than making ssh listen on a nonstandard port, use an iptables redirect to bring in traffic from the nonstandard port to the standard one. — Michael Hampton, Jan 18 '19 at 01:02
Bah. SELinux is just going to get turned off then. Surprised at the lack of support for multiple IPs. Thanks so much! — John Shum, Jan 18 '19 at 20:06
You're disabling the _good_ security so you can have the _not so good_ security?! — Michael Hampton, Jan 18 '19 at 20:47

Multiple IP addresses with SELinux using the same port

0 Answers0