Rudder

To be more precise, this command enables apache to initiate connections to the outsite world. By default, it can not in SELinux enforce mode (default), which prevents it from connecting to the Rudder application server (Jetty).

Matthieu CERDA wrote:

To be more precise, this command enables apache to initiate connections to the outsite world. By default, it can not in SELinux enforce mode (default), which prevents it from connecting to the Rudder application server (Jetty).

That's a bit weird, since jetty is not in the outside world, but on localhost. Is there not an intermediate restriction we could use instead?

Well, here is what the man page says, from httpd_selinux(8):

SELinux policy can be setup such that httpd scripts are not allowed to connect out to the network. This would prevent a hacker from breaking into you httpd server and attacking other machines. If you need scripts to be able to connect you can set the httpd_can_network_connect boolean on.

setsebool -P httpd_can_network_connect 1

But seeing the naming conventions used by this booleans, I suppose it just prevents apache from using the connect() function. Thus, even local connections fail. But sadly it looks there is nothing more "fine grained".

Matthieu CERDA wrote:

Well, here is what the man page says, from httpd_selinux(8):

[...]

But seeing the naming conventions used by this booleans, I suppose it just prevents apache from using the connect() function. Thus, even local connections fail. But sadly it looks there is nothing more "fine grained".

You'll find an example here that allows to do a more fine grained approach:
http://serverfault.com/questions/329355/issues-with-proxypass-and-proxypassreverse-when-proxying-to-localhost-and-a-diff

After trying to install rudder 2.8.0rc2 on Centos 6.4 SELinux is blocking access on local port 8080 as mentionned in this bug.

After using audit2allow (from policycoreutils-python), the policy should be something like :
module httpd-rudder 1.0;

require {
type httpd_t;
type http_cache_port_t;
class tcp_socket name_connect;
}

#============= httpd_t ==============
allow httpd_t http_cache_port_t:tcp_socket name_connect;

Some links I used :
http://wiki.centos.org/HowTos/SELinux
http://www.techrepublic.com/blog/linux-and-open-source/practical-selinux-port-contexts-and-handling-access-alerts/2463/

To add the policy to the package, this may be useful :
http://selinuxproject.org/page/RPM#Adding_Policy_to_an_RPM
http://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft
http://unix.stackexchange.com/questions/16458/what-is-the-proper-way-to-set-selinux-context-in-an-rpm-spec

Slightly modified and commented policy.
But still missing the webdav part

module rudder 1.0;

require {
        type httpd_t;
        type var_t;
        type http_cache_port_t;
        class tcp_socket name_connect;
        class file getattr;
}

#============= httpd_t ==============

# Allow httpd daemon to access 8080:tcp via connect method
allow httpd_t http_cache_port_t:tcp_socket name_connect;

Applied in changeset rudder-packages|55569f4326f78b6d5a40a6cbb1ccdf9cc7a13a99.