Click on each book below to review & buy on Amazon.
As an Amazon Associate, I earn from qualifying purchases.
RHCSA - Manage Security: Manage SELinux Port Labels
Managing Port Labels Using semanage
The semanage command is a tool that enables users to manage and modify SELinux policies. It allows for the configuration of SELinux policy rules for various system resources, such as files, directories, ports, and users.
Here are some commonly used options with the semanage command:
| Option | Description |
|---|---|
-t, --type |
SELinux type for the object |
-a, --add |
Add a record of the specified object type. |
-d, --delete |
Delete a record of the specified object type. |
-m, --modify |
Modify a record of the specified object type. |
-l, --list |
List records of the specified object type. |
-p, --proto |
Protocol for the specified port (tcp |
SELinux defines rules and permissions associated with network ports and services by assigning specific labels to ports. In the following exercises you will add and modify these port labels.
To follow along, make sure you have httpd installed and SELinux set to Enforcing.
List the http port label and confirm httpd service restarts ok:
sudo semanage port --list | grep '^http_port_t'
The output will show all the current tcp ports that are allowed for http:
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
By default the httpd service listens on port 80 so restarting the service should be ok:
sudo systemctl restart httpd
Amend httpd service to listen on non-standard port:
Amend httpd.conf so that the Listen setting is set to 82:
sudo sed -i 's/^Listen.*/Listen 82/' /etc/httpd/conf/httpd.conf
Restart the service to confirm SELinux causes problems with the non-standard port:
sudo systemctl restart httpd
An error should be received:
Job for httpd.service failed because the control process exited with error code.
See "systemctl status httpd.service" and "journalctl -xeu httpd.service" for details.
Check the status of the service to see permission denied messages:
systemctl status httpd
Command output:
× httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; preset: disabled)
Active: failed (Result: exit-code) since Tue 2023-08-29 08:13:19 BST; 2min 2s ago
Duration: 11min 40.211s
Docs: man:httpd.service(8)
Process: 6515 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
Main PID: 6515 (code=exited, status=1/FAILURE)
Status: "Reading configuration..."
CPU: 47ms
Aug 29 08:13:19 rhcsa-install.home.arpa systemd[1]: Starting The Apache HTTP Server...
Aug 29 08:13:19 rhcsa-install.home.arpa httpd[6515]: (13)Permission denied: AH00072: make_sock: could not bind to ad>
Aug 29 08:13:19 rhcsa-install.home.arpa httpd[6515]: (13)Permission denied: AH00072: make_sock: could not bind to ad>
Aug 29 08:13:19 rhcsa-install.home.arpa httpd[6515]: no listening sockets available, shutting down
Aug 29 08:13:19 rhcsa-install.home.arpa httpd[6515]: AH00015: Unable to open logs
Aug 29 08:13:19 rhcsa-install.home.arpa systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Aug 29 08:13:19 rhcsa-install.home.arpa systemd[1]: httpd.service: Failed with result 'exit-code'.
Aug 29 08:13:19 rhcsa-install.home.arpa systemd[1]: Failed to start The Apache HTTP Server.
To fix the permission denied problem you need to add port 82 to the http_port_t context:
sudo semanage port --add --type http_port_t --proto tcp 82
Restart the service to confirm SELinux no longer causes any problems:
sudo systemctl restart httpd
No errors will be printed to screen as the restart of the service should be successful.
Revert the httpd service to listen on port 80 again and remove port 82 from the http_port_t context:
Amend httpd.conf so that the Listen setting is set back to 80:
sudo sed -i 's/^Listen.*/Listen 80/' /etc/httpd/conf/httpd.conf
Restart the service:
sudo systemctl restart httpd
No errors will be printed to screen as the restart of the service should be successful.
Remove port 82 from label http_port_t:
sudo semanage port --delete --type http_port_t --proto tcp 82
List the ports for http_port_t to confirm port 82 is not present:
sudo semanage port --list | grep '^http_port_t'
Output should look like:
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
Support DTV Linux
Click on each book below to review & buy on Amazon. As an Amazon Associate, I earn from qualifying purchases.
NordVPN ®: Elevate your online privacy and security. Grab our Special Offer to safeguard your data on public Wi-Fi and secure your devices. I may earn a commission on purchases made through this link.