Rocky_Linux_8
Sponsored Link

SELinux : Change Port Types2021/07/22

 
SELinux labels Types to network Ports, so it's impossible to start a Service with a port that Type is not configured.
[1] Show Type list for network Ports like follows.
[root@dlp ~]#
semanage port -l

SELinux Port Type              Proto    Port Number

afs3_callback_port_t           tcp      7001
afs3_callback_port_t           udp      7001
afs_bos_port_t                 udp      7007
afs_fs_port_t                  tcp      2040
afs_fs_port_t                  udp      7000, 7005
afs_ka_port_t                  udp      7004
afs_pt_port_t                  tcp      7002
.....
.....
zented_port_t                  tcp      1229
zented_port_t                  udp      1229
zookeeper_client_port_t        tcp      2181
zookeeper_election_port_t      tcp      3888
zookeeper_leader_port_t        tcp      2888
zope_port_t                    tcp      8021
[2]
For example, Set 82 Port for httpd.
Default Port 80 for http and Port 443 for https are labeled with [http_port_t] like follows, but 82 is not set. So if you configured httpd.conf correctly with [listen 82], httpd will not start becuase SELinux denies it. If you'd like to use 82, add it to [http_port_t].
# show current settings

[root@dlp ~]#
semanage port -l | grep -E -w "80|443"

http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000

# add 82 Port

[root@dlp ~]#
semanage port -a -t http_port_t -p tcp 82
[root@dlp ~]#
semanage port -l | grep "^http_port_t"

http_port_t                    tcp      82, 80, 81, 443, 488, 8008, 8009, 8443, 9000
# just added

# after changing httpd.conf correctly, restart httpd and verify running

[root@dlp ~]#
ss -napt | grep httpd

LISTEN 0      128                *:82              *:*    users:(("httpd",pid=26284,fd=4),("httpd",pid=26283,fd=4),("httpd",pid=26282,fd=4),("httpd",pid=26279,fd=4))
# httpd is listening on 82
Matched Content