10. Manage Security
πRed Hat Certified System Administrator (RHCSA β EX200)
1. What Are SELinux Port Labels?
In SELinux, ports are labeled with types, just like files and processes.
A port label defines:
- Which service is allowed to use a specific port
- Whether SELinux permits network communication on that port
Each service runs under a SELinux domain (type), and it can only use ports that are allowed for that type.
Example Concept
- A web server (httpd) runs under type:
httpd_t - Default allowed ports:
- 80 β
http_port_t - 443 β
http_port_t
- 80 β
If you try to run a web server on port 8080, it may fail because:
- Port 8080 is not labeled as
http_port_t
2. Why SELinux Port Labels Matter
SELinux enforces strict security rules:
- Even if the firewall allows a port
- Even if the service is configured correctly
β‘ SELinux can still block access if the port is not labeled correctly.
Common IT Scenario
A system administrator:
- Installs a web server
- Changes it to listen on port
8080
Result:
- Service starts, but connections fail
Reason:
- SELinux does not allow
httpd_tto use port 8080
Solution:
- Add port 8080 to
http_port_t
3. Viewing SELinux Port Labels
To see current port labels, use:
semanage port -l
This lists:
- SELinux port types
- Associated protocols (tcp/udp)
- Port numbers
Filter for a specific service
Example: HTTP ports
semanage port -l | grep http
Output may show:
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443
4. Managing SELinux Port Labels
You manage port labels using:
semanage port [options]
Important Options
| Option | Description |
|---|---|
-l | List ports |
-a | Add new port |
-m | Modify existing port |
-d | Delete port |
5. Adding a New Port Label
To allow a service to use a new port:
semanage port -a -t TYPE -p PROTOCOL PORT
Example: Allow HTTP on Port 8080
semanage port -a -t http_port_t -p tcp 8080
Explanation:
-aβ Add new rule-t http_port_tβ Assign HTTP type-p tcpβ Protocol8080β Port number
Verify
semanage port -l | grep http
6. Modifying an Existing Port
If a port already exists but with a different type, use:
semanage port -m -t TYPE -p PROTOCOL PORT
Example
semanage port -m -t http_port_t -p tcp 8080
7. Deleting a Port Label
To remove a custom port:
semanage port -d -t TYPE -p PROTOCOL PORT
Example
semanage port -d -t http_port_t -p tcp 8080
8. Important Notes for the Exam
1. Difference Between Firewall and SELinux
- Firewall controls network access
- SELinux controls which service can use which port
Both must allow the traffic.
2. semanage Command Requires Package
If command is missing:
dnf install policycoreutils-python-utils
3. Use Correct Type
Common types:
| Service | Type |
|---|---|
| HTTP (Apache/Nginx) | http_port_t |
| SSH | ssh_port_t |
| FTP | ftp_port_t |
| DNS | dns_port_t |
4. Do NOT Disable SELinux
Incorrect approach (not allowed in exam):
setenforce 0
Correct approach:
- Fix port labeling
9. Troubleshooting SELinux Port Issues
Step 1: Check SELinux status
getenforce
Step 2: Check service port configuration
ss -tuln
Step 3: Check SELinux logs
/var/log/audit/audit.log
Step 4: Use audit2why / audit2allow
audit2why < /var/log/audit/audit.log
10. Practical Exam Task Example
Task:
Configure a web server to run on port 8080 and allow SELinux access.
Solution Steps:
- Add port:
semanage port -a -t http_port_t -p tcp 8080
- Configure web server to use port 8080
- Restart service:
systemctl restart httpd
- Allow firewall:
firewall-cmd --add-port=8080/tcp --permanent
firewall-cmd --reload
11. Common Mistakes (Very Important)
β Forgetting SELinux after changing port
β Using -a when port already exists (should use -m)
β Assigning wrong type
β Disabling SELinux instead of fixing policy
12. Quick Summary (Exam Revision)
- SELinux uses port labels to control service access
- Use
semanage port -lto list ports - Add port: semanage port -a -t TYPE -p tcp PORT
- Modify port: semanage port -m -t TYPE -p tcp PORT
- Delete port: semanage port -d -t TYPE -p tcp PORT
- Always match service type (e.g.,
http_port_t) - Never disable SELinux β fix the issue properly
