SElinux：允许httpd连接到redis

我在 RedHat7 上运行，安装了 apache 2.4 和 redis。除非解决了 selinux 问题，否则 Apache 不会连接到 redis。我知道解决这个问题的一个选项是允许所有连接：

setsebool -P httpd_can_network_connect=1

但我宁愿只允许连接到本地运行的 redis，而不是所有 tcp 端口。我遵循了以下建议：

SElinux：允许 httpd 连接到特定端口

但对我来说不太管用。第一个建议失败了，因为 redis 端口已经定义（由 redis 定义）：

 semanage port -l | egrep '(^http_port_t|6379)'
 http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000
 redis_port_t                   tcp      6379, 16379, 26379

 semanage port -a -t http_port_t -p tcp 6379
ValueError: Port tcp/6379 already defined

第二个建议：

 semanage port -m -t http_port_t -p tcp 6379

运行正常，apache 能够正确连接到 redis。但是，重启后，redis 无法启动，并出现另一个 selinux 错误（“SELinux 阻止 /opt/rh/rh-redis32/root/usr/bin/redis-server 在 tcp_socket 端口 6379 上进行 name_bind 访问”）：

SELinux is preventing /opt/rh/rh-redis32/root/usr/bin/redis-server from name_bind access on the tcp_socket port 6379.

*****  Plugin catchall (100. confidence) suggests     
If you believe that redis-server should be allowed name_bind access on the port 6379 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
 Do allow this access for now by executing:
 ausearch -c 'redis-server' --raw | audit2allow -M my-redisserver
 semodule -i my-redisserver.pp
Additional Information:

Source Context                system_u:system_r:redis_t:s0
Target Context                system_u:object_r:http_port_t:s0
Target Objects                port 6379 [ tcp_socket ]
Source                        redis-server
Source Path                   /opt/rh/rh-redis32/root/usr/bin/redis-server
Port                          6379

有谁知道如何正确允许 apache 连接到（本地安装的）redis，而无需设置“httpd_can_network_connect”？

注意：在执行任何 semanage 命令之前，selinux 对 httpd 无法使用 redis 的抱怨是：

SELinux is preventing /opt/rh/httpd24/root/usr/sbin/httpd from name_connect access on the tcp_socket port 6379.
*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************
If you want to allow httpd to can network connect
Then you must tell SELinux about this by enabling the 'httpd_can_network_connect' boolean.
Do
setsebool -P httpd_can_network_connect 1
*****  Plugin catchall (11.6 confidence) suggests   **************************
If you believe that httpd should be allowed name_connect access on the port 6379 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
# semodule -i my-httpd.pp

Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:redis_port_t:s0
Target Objects                port 6379 [ tcp_socket ]
Source                        httpd
Source Path                   /opt/rh/httpd24/root/usr/sbin/httpd
Port                          6379
Host                          <Unknown>
Source RPM Packages           httpd24-httpd-2.4.27-8.el7.1.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-192.el7_5.6.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
[...]
Raw Audit Messages
type=AVC msg=audit(1540322412.65:21558): avc:  denied  { name_connect } for  pid=26250 comm="httpd" dest=6379 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:redis_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1540322412.65:21558): arch=x86_64 syscall=connect success=no exit=EACCES a0=11 a1=7efca766b050 a2=10 a3=5bcf746c items=0 ppid=11656 pid=26250 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/opt/rh/httpd24/root/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: httpd,httpd_t,redis_port_t,tcp_socket,name_connect