Note: This is an RHCE 7 exam objective.
Presentation
Because of SELinux policy, a service is normally allowed to run on a restricted list of well-known ports. For example, in the case of the httpd service, this list is 80, 443, 488, 8008, 8009, 8443.
To allow a service to use non-standard ports, you need to follow a specific procedure to change the SELinux policy.
Prerequisites
Install the setroubleshoot-server (to get the semanage command) and, optionally, the selinux-policy-devel (to get the sepolicy command) packages:
# yum install -y setroubleshoot-server selinux-policy-devel
Install the service (here httpd) that you want to run (if it’s not already done):
# yum install -y httpd
SELinux procedure
To get the list of all restricted ports by service, type:
# semanage port -l SELinux Port Type Proto Port Number afs3_callback_port_t tcp 7001 afs3_callback_port_t udp 7001 afs_bos_port_t udp 7007 afs_fs_port_t tcp 2040 afs_fs_port_t udp 7000, 7005 afs_ka_port_t udp 7004 afs_pt_port_t udp 7002 afs_vl_port_t udp 7003 ... http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000 ... zookeeper_client_port_t tcp 2181 zookeeper_election_port_t tcp 3888 zookeeper_leader_port_t tcp 2888 zope_port_t tcp 8021
To get the list of well-known ports for the httpd service, type:
# semanage port -l | grep -w http_port_t http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
Alternatively, you can also use the sepolicy command to get the same result:
# sepolicy network -t http_port_t http_port_t: tcp: 80,81,443,488,8008,8009,8443,9000
To check if a port is already used (here 8001), type:
# sepolicy network -p 8001 8001: tcp unreserved_port_t 1024-32767 8001: udp unreserved_port_t 1024-32767
To allow the httpd service to run on the 8001 tcp port (-a for add), type:
# semanage port -a -t http_port_t -p tcp 8001
Note1: Use the -d option instead of the -a option to remove a port from the list.
Note2: In case port tcp 8001 is already assigned to an other service, use the -m option (see Sander van Vugt RHCE FAQ for more information): a port can only be used by one service at a time; for example, the -m option is useful when you want sshd to listen on ports tcp 22 and tcp 443 at the same time.
To check the list is updated, type:
# semanage port -l | grep -w http_port_t http_port_t tcp 8001, 80, 81, 443, 488, 8008, 8009, 8443, 9000
Alternatively, you can check the new status of the port (here 8001):
# sepolicy network -p 8001 8001: tcp unreserved_port_t 1024-32767 8001: udp unreserved_port_t 1024-32767 8001: tcp http_port_t 8001
Additional specific service configuration
In addition to the SELinux policy change, you may need to adjust the service configuration.
For example, with the httpd service, you will need to update the Listen directive or, if it’s a virtual host, the <VirtualHost> directive in the /etc/httpd/conf/httpd.conf file to take into account the new port.
Source: RHEL 7 SELinux Users and Administrators Guide and sepolicy network man page.
semanage command is included in policycoreutils-python
Yes, but I have personally always found easier to remember the setroubleshoot-server package name.
I tend to forget those long package names because I only install them once, therefore my first shot is always “yum provides semanage”.