One way in which SELinux secures the systen is by monitoring ports. Specifically, it monitors the name of the processes which are running on each port and determines their SELinux Port Type. If the specified port is not in the list (nonstandard), that process is blocked.
This topic includes:
Commands:
SELinux comes pre-configured with an large number of port-application mappings. You can interact with these mappings using the semanage port commands. To list them add the -l or --list argument.
1semanage port -l | head2SELinux Port Type Proto Port Number3
4afs3_callback_port_t tcp 70015afs3_callback_port_t udp 70016afs_bos_port_t udp 70077afs_fs_port_t tcp 20408afs_fs_port_t udp 7000, 70059afs_ka_port_t udp 700410afs_pt_port_t tcp 700211afs_pt_port_t udp 7002📌 EXAM TIP: To navigate through the list of ports on-the-fly, you can pipe the output into less and search for a port type or port number using /.
All port mappings use either the TCP or UDP protocol.
Both protocols are essential in the modern world. People are generally more exposed to TCP applications. Here are some protocols based on each one:
| TCP | UDP | |
|---|---|---|
| Protocols | TCP is used by HTTP, HTTPs, FTP, SMTP and Telnet. | UDP is used by DNS, DHCP, TFTP, SNMP, RIP, and VoIP. |
Briefly, the key difference between these protocols is that TCP requires a handshake. For a bit more info on this topic here is a more comprehensive table.
As a template, manage SELinux port labels as so:
semanage port -<a|d> -t <port_type> -p <tcp|udp> <port>
-a : add a label-d : delete a label-t : port type-p : protocolIn this example, a nonstandard port mapping will be added to allow a httpd service to run on it.
httpd server:1[root@server ~]$ dnf install -y httpd2[root@server ~]$ systemctl enable --now httpd3[root@server ~]$ curl localhost:804# <h1>Hello World</h1>1[root@server ~]$ vim /etc/httpd/conf/httpd.conf # holds port config. not needed in exam. for demonstration.2 # ...3 Listen 80124 # ...1[root@server ~]$ systemctl restart httpd2# Job for httpd.service failed because the control process exited with error code.3# See "systemctl status httpd.service" and "journalctl -xeu httpd.service" for details.4
5[root@server ~]$ systemctl status httpd6× httpd.service - The Apache HTTP Server7 Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)8 Active: failed (Result: exit-code) since Mon 2023-02-13 11:55:52 GMT; 6s ago9 Docs: man:httpd.service(8) ...10
11Feb 13 11:55:52 server systemd[1]: Starting The Apache HTTP Server...12Feb 13 11:55:52 server httpd[2174]: (13)Permission denied: AH00072: make_sock: could not bind to address [::]:801213Feb 13 11:55:52 server httpd[2174]: (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:801214Feb 13 11:55:52 server httpd[2174]: no listening sockets available, shutting down15Feb 13 11:55:52 server systemd[1]: Failed to start The Apache HTTP Server.1semanage port -a -t http_port_t -p tcp 80121[root@server ~]$ systemctl restart httpd2
3[root@server ~]$ systemctl status httpd4● httpd.service - The Apache HTTP Server5 Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)6 Active: active (running) since Mon 2023-02-13 11:58:59 GMT; 1h 27min ago7 Docs: man:httpd.service(8)8
9Feb 13 11:58:59 server systemd[1]: Starting The Apache HTTP Server...10Feb 13 11:58:59 server httpd[2255]: Server configured, listening on: port 801211Feb 13 11:58:59 server systemd[1]: Started The Apache HTTP Server.1[root@server ~]$ curl localhost:80122# <h1>Hello World</h1>3[root@server ~]$ curl localhost:804# curl: (7) Failed to connect to localhost port 80 after 0 ms: Connection refused