RH134 - ch11s03

In addition to file context and process type labeling, SELinux labels network ports with an SELinux context. SELinux controls network access by labeling the network ports and including rules in a service's targeted policy. For example, the SSH targeted policy includes the 22/TCP port with an ssh_port_t port context label. In the HTTP policy, the default 80/TCP and 443/TCP ports use an http_port_t port context label.

When a targeted process attempts to open a port for listening, SELinux verifies that the policy includes entries that enable the binding of the process and the context. SElinux can then block a rogue service from taking over ports that other legitimate network services use.

Manage SELinux Port Labeling

If a service attempts to listen on a nonstandard port, and the port is not labeled with the correct SELinux type, then SELinux might block the attempt. You can correct this problem by changing the SELinux context on the port.

Typically, the targeted policy already labeled all expected ports with the correct type. For example, because port 8008/TCP is often used for web applications, that port is already labeled with http_port_t, which is the default port type that a web server uses. Individual ports can be labeled with only one port context.

List Port Labels

Use the grep command to filter the port number.

[root@host ~]# grep gopher /etc/services
gopher          70/tcp                          # Internet Gopher
gopher          70/udp

Use the semanage command to list the current port label assignments.

[root@host ~]# semanage port -l
...output omitted...
http_cache_port_t       tcp   8080, 8118, 8123, 10001-10010
http_cache_port_t       udp   3130
http_port_t             tcp   80, 81, 443, 488, 8008, 8009, 8443, 9000
...output omitted...

Use the grep command to filter the SELinux port label by using the service name.

[root@host ~]# semanage port -l | grep ftp
ftp_data_port_t                tcp      20
ftp_port_t                     tcp      21, 989, 990
ftp_port_t                     udp      989, 990
tftp_port_t                    udp      69

A port label can appear in the list many times for each supported networking protocol.

Use the grep command to filter the SELinux port label by using the port number.

[root@host ~]# semanage port -l | grep -w 70
gopher_port_t                  tcp      70
gopher_port_t                  udp      70

Manage Port Bindings

Use the semanage command to assign new port labels, remove port labels, and modify existing ones.

Important

Almost all of the services that are included in the RHEL distribution provide an SELinux policy module, which includes that service's default port contexts. You cannot change default port labels by using the semanage command. Instead, you must modify and reload the targeted service's policy module. Writing and generating policy modules is not discussed in this course.

You can label a new port with an existing port context label (type). The semanage port command's -a option adds a new port label; the -t option denotes the type; and the -p option denotes the protocol.

[root@host ~]# semanage port -a -t port_label -p tcp|udp PORTNUMBER

In the following example, enable the gopher service to listen on the 71/TCP port:

[root@host~]# semanage port -a -t gopher_port_t -p tcp 71

To view local changes to the default policy, use the semanage port command's -C option.

[root@host~]# semanage port -l -C
SELinux Port Type              Proto    Port Number

gopher_port_t                  tcp      71

The targeted policies include many port types.

Service-specific SELinux man pages are named by using the service name plus _selinux. These man pages include service-specific information on SELinux types, Booleans, and port types, and are not installed by default. To view a list of all of the available SELinux man pages, install the package and then run a man -k keyword search for the _selinux string.

[root@host ~]# dnf -y install selinux-policy-doc
[root@host ~]# man -k _selinux

Use the semanage command for deleting a port label, with the -d option. In the following example, remove the binding of port 71/TCP to the gopher_port_t type:

[root@host ~]# semanage port -d -t gopher_port_t -p tcp 71

To change a port binding, when requirements change, use the -m option. This option is more efficient than deleting the earlier binding and adding the latest one.

For example, to modify port 71/TCP from gopher_port_t to http_port_t, use the following command:

[root@server ~]# semanage port -m -t http_port_t -p tcp 71

View the modification by using the semanage command.

[root@server ~]# semanage port -l -C
SELinux Port Type              Proto    Port Number

http_port_t                    tcp      71
[root@server ~]# semanage port -l | grep http
http_cache_port_t              tcp      8080, 8118, 8123, 10001-10010
http_cache_port_t              udp      3130
http_port_t                    tcp      71, 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t            tcp      5988
pegasus_https_port_t           tcp      5989

References

semanage(8), semanage-port(8), and *_selinux(8) man pages

Discuss Red Hat System Administration II

Go to community

Is It possible to reset root password when the system is on multi-user.target?

jennifer1987

27 lip 2023

Hi thereWell, i have a question, Is It possible to reset root password when the system is on multi-user.target? I was not be able to found a foro o some information related with this and another question that I have, If the grub menu dont show up, is it posible to reset the root password?

991

Red Hat System Administration II (RH134)

Haley_Ruccio

21 lip 2023

Build the skills to perform the key tasks needed to become a full-time Linux administratorRed Hat System Administration II (RH134) is the second part of the RHCSA training track for IT professionals who have already attended Red Hat System Administration I. The course goes deeper into core Linux system administration skills in storage configuration and management, installation and deployment of Red Hat Enterprise Linux, management of security features such as SELinux, control of recurring system tasks, management of the boot process and troubleshooting, basic system tuning, and command-line automation and productivity. This course assumes that students have attended Red Hat System Administration I (RH124).Experienced Linux administrators who seek rapid preparation for the RHCSA certification should instead start with RHCSA Rapid Track (RH199).This course is based on Red Hat Enterprise Linux 9.0.Course summaryInstall Red Hat Enterprise Linux using scalable methodsAccess security files, file systems, and networksExecute shell scripting and automation techniquesManage storage devices, logical volumes, and file systemsManage security and system accessControl the boot process and system servicesRun containersAudience for this courseThis course is geared toward Windows system administrators, network administrators, and other system administrators who are interested in supplementing current skills or backstopping other team members, in addition to Linux system administrators who are responsible for these tasks:Configuring, installing, upgrading, and maintaining Linux systems using established standards and proceduresProviding operational supportManaging systems for monitoring system performance and availabilityWriting and deploying scripts for task automation and system administrationRecommended trainingSuccessful completion of Red Hat System Administration I (RH124) is recommended.Experienced Linux administrators seeking to accelerate their path toward becoming a Red Hat Certified System Administrator should start with the RHCSA Rapid Track course (RH199).Take our free assessment to gauge whether this offering is the best fit for your skills.Technology considerationsThere are no special technology requirements.This course is not designed for bring your own device (BYOD).Internet access is not required, but is recommended to allow students to research and access Red Hat online resources.

Welcome to the Red Hat System Administration II (RH134) group in the Red Hat Learning Community!

Deanna

18 lip 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat System Administration II! To gain the most value from this group - click the "Join Group" button in the upper right hand corner.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH134.Read more about Red Hat System Administration II here.

417

Revision: rh134-9.0-fa57cbe