RH134 - ch11s03

After completing this section, you should be able to verify that network ports have the correct SELinux type so that services are able to bind to them.

SELinux Port Labeling

Managing SELinux port security

SELinux does more than just file and process labeling. Network traffic is also tightly enforced by the SELinux policy. One of the methods that SELinux uses for controlling network traffic is labeling network ports; for example, in the targeted policy, port 22/TCP has the label ssh_port_t associated with it. The default HTTP ports, 80/TCP and 443/TCP, have the label http_port_t associated with them.

Whenever a process wants to listen on a port, SELinux checks to see whether the label associated with that process (the domain) is allowed to bind that port label. This can stop a rogue service from taking over ports otherwise used by other (legitimate) network services.

Managing SELinux Port Labeling

If you decide to run a service on a nonstandard port, SELinux almost certainly will block the traffic. In this case, you must update SELinux port labels. In some cases, the targeted policy has already labeled the port with a type that can be used; for example, since port 8008/TCP is often used for web applications, that port is already labeled with http_port_t, the default port type for the web server.

Listing Port Labels

To get an overview of all the current port label assignments, run the semanage port -l command. The -l option lists all current assignments in this form:

port_label_t     tcp|udp    comma,separated,list,of,ports

Example output:

[root@host ~]# semanage port -l
...output omitted...
http_cache_port_t       tcp   8080, 8118, 8123, 10001-10010
http_cache_port_t       udp   3130
http_port_t             tcp   80, 81, 443, 488, 8008, 8009, 8443, 9000
...output omitted...

To refine the search, use the grep command:

[root@host ~]# semanage port -l | grep ftp
ftp_data_port_t                tcp      20
ftp_port_t                     tcp      21, 989, 990
ftp_port_t                     udp      989, 990
tftp_port_t                    udp      69

Note that a port label can appear twice in the output, once for TCP and once for UDP.

Managing Port Labels

Use the semanage command to assign new port labels, remove port labels, or modify existing ones.

Important

Most standard services available in the Linux distribution provide an SELinux policy module that sets labels on ports. You cannot change the labels on those ports using semanage; to change those, you need to replace the policy module. Writing and generating policy modules falls outside the scope of this course.

To add a port to an existing port label (type), use the following syntax. The -a adds a new port label, the -t denotes the type, the -p denotes the protocol.

[root@host ~]# semanage port -a -t port_label -p tcp|udp PORTNUMBER

For example, to allow a gopher service to listen on port 71/TCP:

[root@host~]# semanage port -a -t gopher_port_t -p tcp 71

To view local changes to the default policy, administrators can add the -C option to the semanage command.

[root@host~]# semanage port -l -C 
SELinux Port Type              Proto    Port Number

gopher_port_t                  tcp      71

Note

The targeted policy ships with a large number of port types.

Service specific SELinux man pages found in the selinux-policy-doc package include documentation on SELinux types, booleans, and port types. If these man pages are not yet installed on your system, follow this procedure:

[root@host ~]# yum -y install selinux-policy-doc
[root@host ~]# man -k _selinux

Removing Port Labels

The syntax for removing a custom port label is the same as the syntax for adding a port label, but instead of using the -a option (for Add), use the -d option (for Delete).

For example, to remove the binding of port 71/TCP to gopher_port_t:

[root@host ~]# semanage port -d -t gopher_port_t -p tcp 71

Modifying Port Bindings

To change a port binding, perhaps because requirements changed, use the -m (Modify) option. This is a more efficient process than removing the old binding and adding a new one.

For example, to modify port 71/TCP from gopher_port_t to http_port_t, an administrator can use the following command:

[root@server ~]# semanage port -m -t http_port_t -p tcp 71

As before, view the modification using the semanage command.

[root@server ~]# semanage port -l -C
SELinux Port Type              Proto    Port Number

http_port_t                    tcp      71
[root@server ~]# semanage port -l | grep http
http_cache_port_t              tcp      8080, 8118, 8123, 10001-10010
http_cache_port_t              udp      3130
http_port_t                    tcp      71, 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t            tcp      5988
pegasus_https_port_t           tcp      5989

References

semanage(8), semanage-port(8), and *_selinux(8) man pages

Discuss Red Hat System Administration II

Go to community

Is It possible to reset root password when the system is on multi-user.target?

jennifer1987

27 lip 2023

Hi thereWell, i have a question, Is It possible to reset root password when the system is on multi-user.target? I was not be able to found a foro o some information related with this and another question that I have, If the grub menu dont show up, is it posible to reset the root password?

991

Red Hat System Administration II (RH134)

Haley_Ruccio

21 lip 2023

Build the skills to perform the key tasks needed to become a full-time Linux administratorRed Hat System Administration II (RH134) is the second part of the RHCSA training track for IT professionals who have already attended Red Hat System Administration I. The course goes deeper into core Linux system administration skills in storage configuration and management, installation and deployment of Red Hat Enterprise Linux, management of security features such as SELinux, control of recurring system tasks, management of the boot process and troubleshooting, basic system tuning, and command-line automation and productivity. This course assumes that students have attended Red Hat System Administration I (RH124).Experienced Linux administrators who seek rapid preparation for the RHCSA certification should instead start with RHCSA Rapid Track (RH199).This course is based on Red Hat Enterprise Linux 9.0.Course summaryInstall Red Hat Enterprise Linux using scalable methodsAccess security files, file systems, and networksExecute shell scripting and automation techniquesManage storage devices, logical volumes, and file systemsManage security and system accessControl the boot process and system servicesRun containersAudience for this courseThis course is geared toward Windows system administrators, network administrators, and other system administrators who are interested in supplementing current skills or backstopping other team members, in addition to Linux system administrators who are responsible for these tasks:Configuring, installing, upgrading, and maintaining Linux systems using established standards and proceduresProviding operational supportManaging systems for monitoring system performance and availabilityWriting and deploying scripts for task automation and system administrationRecommended trainingSuccessful completion of Red Hat System Administration I (RH124) is recommended.Experienced Linux administrators seeking to accelerate their path toward becoming a Red Hat Certified System Administrator should start with the RHCSA Rapid Track course (RH199).Take our free assessment to gauge whether this offering is the best fit for your skills.Technology considerationsThere are no special technology requirements.This course is not designed for bring your own device (BYOD).Internet access is not required, but is recommended to allow students to research and access Red Hat online resources.

Welcome to the Red Hat System Administration II (RH134) group in the Red Hat Learning Community!

Deanna

18 lip 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat System Administration II! To gain the most value from this group - click the "Join Group" button in the upper right hand corner.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH134.Read more about Red Hat System Administration II here.

417

Revision: rh134-8.2-f0a9756