RHCSA - Manage Security: Manage SELinux Port Labels
Managing Port Labels Using semanage
The semanage
command is a tool that enables users to manage and modify SELinux policies. It allows for the configuration of SELinux policy rules for various system resources, such as files, directories, ports, and users.
Here are some commonly used options with the semanage
command:
Option | Description |
---|---|
-t, --type |
SELinux type for the object |
-a, --add |
Add a record of the specified object type. |
-d, --delete |
Delete a record of the specified object type. |
-m, --modify |
Modify a record of the specified object type. |
-l, --list |
List records of the specified object type. |
-p, --proto |
Protocol for the specified port (tcp |
SELinux defines rules and permissions associated with network ports and services by assigning specific labels to ports. In the following exercises you will add and modify these port labels.
To follow along, make sure you have httpd
installed and SELinux
set to Enforcing
.
List the http port label and confirm httpd
service restarts ok:
sudo semanage port --list | grep '^http_port_t'
The output will show all the current tcp
ports that are allowed for http
:
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
By default the httpd
service listens on port 80
so restarting the service should be ok:
sudo systemctl restart httpd
Amend httpd
service to listen on non-standard port:
Amend httpd.conf
so that the Listen
setting is set to 82
:
sudo sed -i 's/^Listen.*/Listen 82/' /etc/httpd/conf/httpd.conf
Restart the service to confirm SELinux causes problems with the non-standard port:
sudo systemctl restart httpd
An error should be received:
Job for httpd.service failed because the control process exited with error code.
See "systemctl status httpd.service" and "journalctl -xeu httpd.service" for details.
Check the status of the service to see permission denied messages:
systemctl status httpd
Command output:
× httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; preset: disabled)
Active: failed (Result: exit-code) since Tue 2023-08-29 08:13:19 BST; 2min 2s ago
Duration: 11min 40.211s
Docs: man:httpd.service(8)
Process: 6515 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
Main PID: 6515 (code=exited, status=1/FAILURE)
Status: "Reading configuration..."
CPU: 47ms
Aug 29 08:13:19 rhcsa-install.home.arpa systemd[1]: Starting The Apache HTTP Server...
Aug 29 08:13:19 rhcsa-install.home.arpa httpd[6515]: (13)Permission denied: AH00072: make_sock: could not bind to ad>
Aug 29 08:13:19 rhcsa-install.home.arpa httpd[6515]: (13)Permission denied: AH00072: make_sock: could not bind to ad>
Aug 29 08:13:19 rhcsa-install.home.arpa httpd[6515]: no listening sockets available, shutting down
Aug 29 08:13:19 rhcsa-install.home.arpa httpd[6515]: AH00015: Unable to open logs
Aug 29 08:13:19 rhcsa-install.home.arpa systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Aug 29 08:13:19 rhcsa-install.home.arpa systemd[1]: httpd.service: Failed with result 'exit-code'.
Aug 29 08:13:19 rhcsa-install.home.arpa systemd[1]: Failed to start The Apache HTTP Server.
To fix the permission denied problem you need to add port 82
to the http_port_t
context:
sudo semanage port --add --type http_port_t --proto tcp 82
Restart the service to confirm SELinux no longer causes any problems:
sudo systemctl restart httpd
No errors will be printed to screen as the restart of the service should be successful.
Revert the httpd
service to listen on port 80
again and remove port 82
from the http_port_t
context:
Amend httpd.conf
so that the Listen
setting is set back to 80
:
sudo sed -i 's/^Listen.*/Listen 80/' /etc/httpd/conf/httpd.conf
Restart the service:
sudo systemctl restart httpd
No errors will be printed to screen as the restart of the service should be successful.
Remove port 82
from label http_port_t
:
sudo semanage port --delete --type http_port_t --proto tcp 82
List the ports for http_port_t
to confirm port 82
is not present:
sudo semanage port --list | grep '^http_port_t'
Output should look like:
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000