Skip to content

RHCSA - Manage Security: Manage SELinux Port Labels

Managing Port Labels Using semanage

The semanage command is a tool that enables users to manage and modify SELinux policies. It allows for the configuration of SELinux policy rules for various system resources, such as files, directories, ports, and users.

Here are some commonly used options with the semanage command:

Option Description
-t, --type SELinux type for the object
-a, --add Add a record of the specified object type.
-d, --delete Delete a record of the specified object type.
-m, --modify Modify a record of the specified object type.
-l, --list List records of the specified object type.
-p, --proto Protocol for the specified port (tcp

SELinux defines rules and permissions associated with network ports and services by assigning specific labels to ports. In the following exercises you will add and modify these port labels.

To follow along, make sure you have httpd installed and SELinux set to Enforcing.

List the http port label and confirm httpd service restarts ok:

sudo semanage port --list | grep '^http_port_t'

The output will show all the current tcp ports that are allowed for http:

http_port_t    tcp    80, 81, 443, 488, 8008, 8009, 8443, 9000

By default the httpd service listens on port 80 so restarting the service should be ok:

sudo systemctl restart httpd

Amend httpd service to listen on non-standard port:

Amend httpd.conf so that the Listen setting is set to 82:

sudo sed -i 's/^Listen.*/Listen 82/' /etc/httpd/conf/httpd.conf

Restart the service to confirm SELinux causes problems with the non-standard port:

sudo systemctl restart httpd

An error should be received:

Job for httpd.service failed because the control process exited with error code.
See "systemctl status httpd.service" and "journalctl -xeu httpd.service" for details.

Check the status of the service to see permission denied messages:

systemctl status httpd

Command output:

× httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; preset: disabled)
     Active: failed (Result: exit-code) since Tue 2023-08-29 08:13:19 BST; 2min 2s ago
   Duration: 11min 40.211s
       Docs: man:httpd.service(8)
    Process: 6515 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
   Main PID: 6515 (code=exited, status=1/FAILURE)
     Status: "Reading configuration..."
        CPU: 47ms

Aug 29 08:13:19 rhcsa-install.home.arpa systemd[1]: Starting The Apache HTTP Server...
Aug 29 08:13:19 rhcsa-install.home.arpa httpd[6515]: (13)Permission denied: AH00072: make_sock: could not bind to ad>
Aug 29 08:13:19 rhcsa-install.home.arpa httpd[6515]: (13)Permission denied: AH00072: make_sock: could not bind to ad>
Aug 29 08:13:19 rhcsa-install.home.arpa httpd[6515]: no listening sockets available, shutting down
Aug 29 08:13:19 rhcsa-install.home.arpa httpd[6515]: AH00015: Unable to open logs
Aug 29 08:13:19 rhcsa-install.home.arpa systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Aug 29 08:13:19 rhcsa-install.home.arpa systemd[1]: httpd.service: Failed with result 'exit-code'.
Aug 29 08:13:19 rhcsa-install.home.arpa systemd[1]: Failed to start The Apache HTTP Server.

To fix the permission denied problem you need to add port 82 to the http_port_t context:

sudo semanage port --add --type http_port_t --proto tcp 82

Restart the service to confirm SELinux no longer causes any problems:

sudo systemctl restart httpd

No errors will be printed to screen as the restart of the service should be successful.

Revert the httpd service to listen on port 80 again and remove port 82 from the http_port_t context:

Amend httpd.conf so that the Listen setting is set back to 80:

sudo sed -i 's/^Listen.*/Listen 80/' /etc/httpd/conf/httpd.conf

Restart the service:

sudo systemctl restart httpd

No errors will be printed to screen as the restart of the service should be successful.

Remove port 82 from label http_port_t:

sudo semanage port --delete --type http_port_t --proto tcp 82

List the ports for http_port_t to confirm port 82 is not present:

sudo semanage port --list | grep '^http_port_t'

Output should look like:

http_port_t    tcp    80, 81, 443, 488, 8008, 8009, 8443, 9000