[CentOS] NetworkManager, multiple IPs, and selinux...

Thu Oct 4 20:34:50 UTC 2018
Mike McCarthy, W1NR <sysop at w1nr.net>

On 10/4/18 4:10 PM, Sean wrote:
> Hello,
> I was wondering if any one has seen issues with selinux name_bind denials
> that result from having IP:PORT bindings for services to specific IP
> addresses managed on an interface under NetworkManager's control?

Is selinux denying the request or the socket? Does it work with
setenforce permissive?

> I do realize that people will probably say stop using NetworkManager, and I
> may, but the behavior is strange, and I'd like to have a better
> understanding of what's going on.
> The config is like so:
> # nmcli c mod eth0 ipv4.addresses,
> # nmcli c down eth0
> # nmcli c up eth0
> # getenforce
> Enforcing
> # systemctl start httpd
> <errors> permission denied binding to
> Apache has two simple IP based VHosts, site1 and site2, with different (and
> correct dns records and ssl certs).  I'm snipping the config because I know
> the Apache config works.
> Listen 443
> <VirtualHost>
> ...
> <VirtualHost>
> ...
> I find the denial strange.  I've done some testing such as removing one
> VHost's config and adding a NIC to the VM (eth1) and reconfigure to have 1
> IP on each NIC and use both Vhosts.  Either way, the selinux denial
> disappears and everything works.  All the packaged selinux policy relating
> to httpd_t and access to port 443 is correct.
> I don't doubt that if I ditched NetworkManager and went for eth0:0 and
> eth0:1 for the IP interfaces, all would be well.  I'd just like to see if
> anyone has some input on the issue.

I don't believe apache selectively binds the socket to the address, but
the interface. My suspicion is that you can only bind one listener for a
port to an interface and not to individual IP addresses on the same
interface. If you use "virtual" interfaces to separate the IP addresses
(eth0:0, eth0:1) then I would expect it to work.

- Mike