On 10/4/18 1:10 PM, Sean wrote:
I was wondering if any one has seen issues with selinux name_bind denials that result from having IP:PORT bindings for services to specific IP addresses managed on an interface under NetworkManager's control?
I don't. I have httpd processes listening on specific ports, and multiple addresses per interface managed by NetworkManager.
I do realize that people will probably say stop using NetworkManager
I don't see why.
# systemctl start httpd <errors> permission denied binding to 192.168.1.10:443 ... I find the denial strange. I've done some testing such as removing one VHost's config and adding a NIC to the VM (eth1) and reconfigure to have 1 IP on each NIC and use both Vhosts. Either way, the selinux denial disappears and everything works.
What makes you think it's an SELinux denial? Did you see an AVC logged in /var/log/audit/audit.log? Can you resolve the issue by setting the system to permissive mode? Either of those would suggest that the restriction is imposed by SELinux policy, but you didn't provide either of those as diagnostic evidence.