change selinux port policy (memcached)

Jordi asked:

I’m running a Centos 7.2 with selinux.

I’ve written these two file service on a Centos 7.2:

Systemd unit file for memcached_mc2:

[Unit]
Description=memcached instance memcached_mc2
After=network.target

[Service]
LimitNOFILE=1024
ExecStart=/usr/bin/memcached -m 64 -U 11212 -p 11212 -u memcached -l 0.0.0.0 -c 1024 -I 1m
Restart=on-failure

[Install]
WantedBy=multi-user.target

Systemd unit file for memcached_mc1

[Unit]
Description=memcached instance memcached_mc1
After=network.target

[Service]
LimitNOFILE=1024
ExecStart=/usr/bin/memcached -m 64 -U 11211 -p 11211 -u memcached -l 0.0.0.0 -c 1024 -I 1m
Restart=on-failure

[Install]
WantedBy=multi-user.target

As you can see the only thing changes is the port where each memcached instance listens to.

Nevertheless, I’m able to start memcached_mc1 but memcached_mc2 no:

$ systemctl status memcached_mc1
● memcached_mc1.service - memcached instance memcached_mc1
   Loaded: loaded (/etc/systemd/system/memcached_mc1.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2017-02-24 10:39:17 UTC; 48s ago
 Main PID: 14388 (memcached)
   CGroup: /system.slice/memcached_mc1.service
           └─14388 /usr/bin/memcached -m 64 -U 11211 -p 11211 -u memcached -l 0.0.0.0 -c 1024 -I 1

$ systemctl status memcached_mc2
memcached_mc2.service - memcached instance memcached_mc2
   Loaded: loaded (/etc/systemd/system/memcached_mc2.service; enabled; vendor preset: disabled)
   Active: failed (Result: start-limit) since Fri 2017-02-24 10:37:18 UTC; 2min 50s ago
  Process: 14359 ExecStart=/usr/bin/memcached -m 64 -U 11212 -p 11212 -u memcached -l 0.0.0.0 -c 1024 -I 1m (code=exited, status=71)

Main PID: 14359 (code=exited, status=71)

I’ve tried to stop mc1 and start only mc2 but the result is the same: mc2 is not started.

I’ve also tried to find out where I can look at on logs, nevertheless, I’ve not able to find where they are stored.

I think the problem is selinux doesn’t allow to use memcached on a port different from 11211 (standard). Is it possible? What do I need to change?

Any ideas?

My answer:


You need to tell SELinux about the custom port you want to use for memcached.

First let’s see what the correct type is:

# semanage port -l | grep -w 11211
memcache_port_t                tcp      11211
memcache_port_t                udp      11211

So we want to use the type memcache_port_t and add our desired port:

# semanage port -a -t memcache_port_t -p tcp 11212

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.