I am using Apache 2.2 on Fedora Core 6 to connect to Tomcat 5.5 instances running on localhost via AJP. I am running SELinux enforced with the default HTTPD policy. All connections are to localhost.
For the Tomcat instance with AJP port 8009, Apache is able to connect fine.
For all the other instances with other AJP ports, Apache is unable to connect.
If I now change the HTTPD SELinux policy for httpd_can_network_connect to true, Apache is now able to connect fine to the other Tomcat instances.
So, somehow, even in httpd_can_network_connect = false mode, Apache knows that it is allowed to connect to port 8009 on localhost.
Where is this configured? How can I keep httpd_can_network_connect = false, yet configure a few additional AJP ports?
I don't want to leave my Apache wide open, but right now I can't see I have a choice if I want multiple Tomcat instances on the box. Ironically, I have noticed that RHEL 4.0 does not exhibit this behaviour by default (I have a server with a dozen Tomcat instances running quite happily behind Apache with no mod to the policy).
Thanks for the help