SELinux also controls access to your TCP/IP ports. If your application is confined by SELinux, it will also deny access to your ports when starting up the application.
This recipe will show you how to detect which ports are used by a particular SELinux type and change it.
Let's allow the HTTP daemon to listen on the nonstandard port 82
through the following steps:
~# semanage port -l |grep http http_cache_port_t tcp 8080, 8118, 8123, 10001-10010 http_cache_port_t udp 3130 http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000 pegasus_http_port_t tcp 5988 pegasus_https_port_t tcp 5989 ~#
The SELinux port assignment we're looking for is http_port_t
. As you can see, only the displayed ports (80
, 81
, 443
, 488
, 8008
, 8009
, 8443
, and 9000
) are allowed to be used to listen on by any process that is allowed to use the http_port_t
type.
82
to the list of allowed ports, as follows:~# semanage port -a -t http_port_t -p tcp 82 ~#
~# semanage port -l |grep ^http_port_t http_port_t tcp 82, 80, 81, 443, 488, 8008, 8009, 8443, 9000 ~#
In this example, there is reference to the HTTP daemon as the SELinux policy governing HTTP daemons is implemented not only for the Apache web server, but also for Nginx. So, as long as you use the packages provided by Red Hat, the SELinux policies will be used correctly.
Take a look at the following example of an AVC denial report found in the audit.log
file that is caused because the domain is not allowed to access a certain port:
type=AVC msg=audit(1225948455.061:294): avc: denied { name_bind } for pid=4997 comm="httpd" src=82 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
This AVC denial shows that the httpd
daemon attempted to listen (name_bind
) on port 82
but was prohibited by SELinux.