RHEL7: Use SELinux port labelling to allow services to use non-standard ports.

Share this link

Note: This is an RHCE 7 exam objective.

Presentation

Because of SELinux policy, a service is normally allowed to run on a restricted list of well-known ports. For example, in the case of the httpd service, this list is 80, 443, 488, 8008, 8009, 8443.

To allow a service to use non-standard ports, you need to follow a specific procedure to change the SELinux policy.

Prerequisites

Install the setroubleshoot-server (to get the semanage command) and, optionally, the selinux-policy-devel (to get the sepolicy command) packages:

# yum install -y setroubleshoot-server selinux-policy-devel

Install the service (here httpd) that you want to run (if it’s not already done):

# yum install -y httpd

SELinux procedure

To get the list of all restricted ports by service, type:

# semanage port -l
SELinux Port Type              Proto    Port Number

afs3_callback_port_t           tcp      7001
afs3_callback_port_t           udp      7001
afs_bos_port_t                 udp      7007
afs_fs_port_t                  tcp      2040
afs_fs_port_t                  udp      7000, 7005
afs_ka_port_t                  udp      7004
afs_pt_port_t                  udp      7002
afs_vl_port_t                  udp      7003
...
http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000
...
zookeeper_client_port_t        tcp      2181
zookeeper_election_port_t      tcp      3888
zookeeper_leader_port_t        tcp      2888
zope_port_t                    tcp      8021

To get the list of well-known ports for the httpd service, type:

# semanage port -l | grep -w http_port_t
http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000

Alternatively, you can also use the sepolicy command to get the same result:

# sepolicy network -t http_port_t
http_port_t: tcp: 80,81,443,488,8008,8009,8443,9000

To check if a port is already used (here 8001), type:

# sepolicy network -p 8001
8001: tcp unreserved_port_t 1024-32767
8001: udp unreserved_port_t 1024-32767

To allow the httpd service to run on the 8001 tcp port (-a for add), type:

# semanage port -a -t http_port_t -p tcp 8001

Note1: Use the -d option instead of the -a option to remove a port from the list.
Note2: In case the 8001 tcp port is already assigned to an other service, use the -m option (see Sander van Vugt RHCE FAQ for more information): a port can only be used by one service at a time.

To check the list is updated, type:

# semanage port -l | grep -w http_port_t
http_port_t                    tcp      8001, 80, 81, 443, 488, 8008, 8009, 8443, 9000

Alternatively, you can check the new status of the port (here 8001):

# sepolicy network -p 8001
8001: tcp unreserved_port_t 1024-32767
8001: udp unreserved_port_t 1024-32767
8001: tcp http_port_t 8001

Additional specific service configuration

In addition to the SELinux policy change, you may need to adjust the service configuration.
For example, with the httpd service, you will need to update the Listen directive or, if it’s a virtual host, the <VirtualHost> directive in the /etc/httpd/conf/httpd.conf file to take into account the new port.

Source: RHEL 7 SELinux Users and Administrators Guide and sepolicy network man page.

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Leave a Reply

3 Comments on "RHEL7: Use SELinux port labelling to allow services to use non-standard ports."

Notify of
Sort by:   newest | oldest
twostep
Member
twostep

semanage command is included in policycoreutils-python

wpDiscuz

RHCSA7: Task of the day

Allowed time: 10 minutes.
Create an EXT4 file system mounted by UUID in /etc/fstab under /vol based on a logical volume of 28 logical extents.

RHCE7: Task of the day

Allowed time: 10 minutes.
Configure a system to forward all email to a central mail server at 192.168.1.1 (change the IP address accordingly).

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...

Recent Comments