Hello Coty, For the sake of others readers, I confirm the behavior you identified from SELinux: [root@localhost audit]# grep -P '^type=AVC' audit.log | grep name_bind type=AVC msg=audit(1513876523.918:145): avc: denied { name_bind } for pid=10420 comm="java" src=8090 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1513876981.747:148): avc: denied { name_bind } for pid=10726 comm="java" src=8090 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1513877805.970:135): avc: denied { name_bind } for pid=2376 comm="java" src=8090 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1513877965.612:138): avc: denied { name_bind } for pid=2442 comm="java" src=9090 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:websm_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1513878056.773:141): avc: denied { name_bind } for pid=2512 comm="java" src=17777 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1513878361.650:185): avc: denied { name_bind } for pid=2609 comm="java" src=8090 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1513878699.852:190): avc: denied { name_bind } for pid=2714 comm="java" src=8090 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1513878900.757:193): avc: denied { name_bind } for pid=2803 comm="java" src=8090 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1513879083.533:196): avc: denied { name_bind } for pid=2870 comm="java" src=8090 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1513879865.598:216): avc: denied { name_bind } for pid=3480 comm="java" src=8090 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1513885200.245:233): avc: denied { name_bind } for pid=4385 comm="java" src=9090 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:websm_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1513964943.996:108): avc: denied { name_bind } for pid=1808 comm="java" src=9090 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:websm_port_t:s0 tclass=tcp_socket [root@localhost audit]#
Since I'm not acquainted with SELinux, I read some introductory documentation about, so I'm guessing here that the proper way to allow a different port (8090 in your sample of semanage) to be used by Tomcat would be: semanage port --add -t initrc_t -p tcp 8090 Since the running process of Tomcat is not related to http_port_t: [root@localhost audit]# ps auxZ | grep -v grep | grep -i jenkins system_u:system_r:initrc_t:s0 jenkins 1255 3.0 27.0 2417080 274544 ? Ssl 10:34 0:51 /etc/alternatives/java -Dcom.sun.akuma.Daemon=daemonized -Djava.awt.headless=true -DJENKINS_HOME=/var/lib/jenkins -jar /usr/lib/jenkins/jenkins.war --logfile=/var/log/jenkins/jenkins.log --webroot=/var/cache/jenkins/war --daemon --httpPort=8090 --debug=5 --handlerCountMax=100 --handlerCountMaxIdle=20 Is that right? On the other hand, semanage port -l | grep init or semanage port -l | grep 8090 gives me nothing. Thanks,Alceu Em quinta-feira, 21 de dezembro de 2017 18:49:48 BRST, Coty Sutherland <csuth...@apache.org> escreveu: This behavior is due to a fix in the selinux-policy package; see https://bugzilla.redhat.com/show_bug.cgi?id=1432083 for more details. If you check /var/log/audit/audit.log you'll see an AVC denial, such as: type=AVC msg=audit(1513815897.006:136): avc: denied { name_bind } for pid=1467 comm="java" src=8090 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket ... Previous version tomcat were incorrectly labeled unconfined_t and could do whatever they wanted, that has been address and now tomcat is confined by selinux as it should be :) You can fix the problem by adding the port you want to allow to the system's HTTP port type, http_port_t: `semanage port --add -t http_port_t -p tcp 8090` Cheers,