[CentOS] NetworkManager, multiple IPs, and selinux...

Sun Oct 7 07:05:30 UTC 2018
Gordon Messmer <gordon.messmer at gmail.com>

On 10/4/18 1:10 PM, Sean wrote:
> I was wondering if any one has seen issues with selinux name_bind denials
> that result from having IP:PORT bindings for services to specific IP
> addresses managed on an interface under NetworkManager's control?


I don't.  I have httpd processes listening on specific ports, and 
multiple addresses per interface managed by NetworkManager.


> I do realize that people will probably say stop using NetworkManager


I don't see why.


> # systemctl start httpd
> <errors> permission denied binding to 192.168.1.10:443
> ...
> I find the denial strange.  I've done some testing such as removing one
> VHost's config and adding a NIC to the VM (eth1) and reconfigure to have 1
> IP on each NIC and use both Vhosts.  Either way, the selinux denial
> disappears and everything works.


What makes you think it's an SELinux denial?  Did you see an AVC logged 
in /var/log/audit/audit.log?  Can you resolve the issue by setting the 
system to permissive mode?  Either of those would suggest that the 
restriction is imposed by SELinux policy, but you didn't provide either 
of those as diagnostic evidence.