Set SELinux flags

Lately, I've been trying to immerse myself in the world of SELinux, so I just leave SELinux settings on enforced. After that the life wasn't as easy as before. I cannot install and use a reverse proxy for example so effortlessly, because I had to do some SELinux configuration before I could connect to my webserver.

Set SELinux flags temporary

Taking the use case above I had to turn on the httpd_can_network_connect flag with the following command:

setsebool httpd_can_network_connect on

You can think we are done, but sadly this results only a temporary result, and after the machine was restarted the flag rollback into its default state. The default value of a SELinux flag can be checked with the command below.

semanage boolean -l | grep httpd_can_network_connect

I added the grep command because there are too much lines in the result. In the output that produced we can see this line:

httpd_can_network_connect      (on   ,   off)  Allow httpd to can network connect

In the first column there's the name of the flag, between the parentheses the actual and the default value of this flag and some description. So we can see after a restart this flag will get the value off.

Set SELinux flags permanently

Fortunately we don't need any fancy stuffs, just add the -P flag to the command:

setsebool -P httpd_can_network_connect on

Check the result:

semanage boolean -l | grep httpd_can_network_connect

# Output
httpd_can_network_connect      (on   ,   on)  Allow httpd to can network connect

And tadaa. We are now able to connect to our webserver.

What does this flag in the background

The httpd_can_network_connect SELinux boolean allows for the proxy (like Apache, NGINX, etc.) to initiate outbound network connections by permitting the httpd_t domain to use the name_connect permission for tcp_socket.

When SELinux is in enforcing mode, our proxy runs under the httpd_t domain. By default, httpd_t is restricted from opening outbound connections, even if the firewall allows them.

So the the httpd_t domain need to be allowed to call connect() on all network sockets (tcp_socket), and it can be achieved with the use of setsebool command. It enables the proxy to act as a client for network services.