Redhat - httpd install on custom port with SELinux enabled - Security Enhanced Linux


rpm -q httpd # to see if the httpd package is installed

yum install httpd

if SELinux (Security-Enhanced Linux) is enabled

httpd processes running in their own domain.
This example assumes the httpd, setroubleshoot, setroubleshoot-server and policycoreutils-python packages are installed:

Run the getenforce command to confirm SELinux is running in enforcing mode:
$ getenforce

Run the service httpd start command as the root user to start httpd:
# service httpd start
Starting httpd: [ OK ]

Run the ps -eZ | grep httpd command to view the httpd processes:

ps -eZ |grep httpd

When /etc/httpd/conf/httpd.conf is configured so httpd listens on a port other than TCP ports 80, 443, 488, 8008, 8009, or 8443, the semanage port command must be used to add the new port number to SELinux policy configuration.

# service httpd stop
Stopping httpd:

# service httpd status
httpd is stopped

Run the semanage port -l | grep -w http_port_t command to view the ports SELinux allows httpd to listen on:
# semanage port -l | grep -w http_port_t
http_port_t tcp 80, 443, 488, 8008, 8009, 8443

Edit /etc/httpd/conf/httpd.conf as the root user. Configure the Listen option so it lists a port that is not configured in SELinux policy configuration for httpd. In this example, httpd is configured to listen on port 12345:


Run the service httpd start command to start httpd:
# service httpd start
Starting httpd: (13)Permission denied: make_sock: could not bind to address
no listening sockets available, shutting down
Unable to open logs [FAILED]

For SELinux to allow httpd to listen on port 12345, as used in this example, the following command is required:
# semanage port -a -t http_port_t -p tcp 12345

Run service httpd start again to start httpd and have it listen on the new port:
# service httpd start
Starting httpd: [ OK ]

Now that SELinux has been configured to allow httpd to listen on a non-standard port (TCP 12345 in this example), httpd starts successfully on this port.

To prove that httpd is listening and communicating on TCP port 12345, open a telnet connection to the specified port and issue a HTTP GET command, as follows:
~]# telnet localhost 12345
Connected to localhost.
Escape character is '^]'.
GET / HTTP/1.0

HTTP/1.1 200 OK
Date: Wed, 02 Dec 2009 14:36:34 GMT
Server: Apache/2.2.13 (Red Hat)
Accept-Ranges: bytes
Content-Length: 3985
Content-Type: text/html; charset=UTF-8




Add comment

Security code