Semanage is a tool used to configure certain elements of SELinux policy without modifying or recompiling policy sources. This includes mapping Linux usernames to SELinux user identities and security context mappings for objects like network ports, interfaces, and hosts.
By default, SELinux only allows known services to bind to known ports. If we want to modify a service to use a non-default port we will need to modify the port type with the semanage command.
In this article, we will explore the semanage command and learn how to list, create/add and delete port types on RPM-based distributions like CentOS and RedHat.
Listing Ports with Semanage
The basic command for listing all ports is
# semanage port -l SELinux Port Type Proto Port Number afs3_callback_port_t tcp 7001 afs3_callback_port_t udp 7001 afs_bos_port_t udp 7007 afs_fs_port_t tcp 2040 afs_fs_port_t udp 7000, 7005 afs_ka_port_t udp 7004 afs_pt_port_t tcp 7002 afs_pt_port_t udp 7002 ...
To list port numbers of a specific port like http, use this command:
# semanage port -l | grep -w http_port_t http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
Similarly for mysqld
# semanage port -l | grep -w mysqld_port_t
mysqld_port_t tcp 1186, 3306, 63132-63164
To find port names with a specific port number in it, use this command:
# semanage port -l | grep 53
apertus_ldp_port_t tcp 539 apertus_ldp_port_t udp 539 dns_port_t tcp 53 dns_port_t udp 53
Creating or Adding Ports with Semanage
In this example, we will create a new port for http and assign it to tcp port 2222. The -a option is to add a new port, the -t option specifies the SELinux type, and the -p option is to specify the protocol to use (in this case tcp).
# semanage port -a -t http_port_t -p tcp 2222
to view the newly created port, we use the command list command with the -C option to show only customizations.
# semanage port -lC
SELinux Port Type Proto Port Number
http_port_t tcp 2222
To assign a range of ports numbers to a specific port, use the command:
# semanage port -a -t http_port_t -p tcp 2223-2225
Now, we can see the port range here.
# semanage port -lC SELinux Port Type Proto Port Number http_port_t tcp 2223-2225
If you try to add another entry with the same values like you used before, you get the error:
ValueError: Port tcp/2222 already defined
To override an existing port that was already created, use the -m option to modify:
# semanage port -m -t unreserved_port_t -p tcp 2222
Now if we list all ports we will see the change.
# semanage port -lC SELinux Port Type Proto Port Number unreserved_port_t tcp 2222
Deleting Ports with Semanage
We use the option -d to delete a port record. To delete unreserved_port_t on tcp port 2222, we use the command:
# semanage port -d -t unreserved_port_t -p tcp 2222
To delete a range of ports, use the command:
# semanage port -d -t http_port_t -p tcp 2223-2225
If you run the customized list command and it returns nothing, then the entry has been removed.
Using Semanage-Permmissive
Semanage permissive is used to add or remove SELinux Policy permissive modules.
To list all permissive modules, use the -l option:
# semanage permissive -l Customized Permissive Types Builtin Permissive Types sanlk_resetd_t hsqldb_t systemd_hwdb_t blkmapd_t ipmievd_t targetd_t
To create httpd_t a permissive domain, use the -a option:
# semanage permissive -a httpd_t
Now, let's check all permissive modules:
# semanage permissive -l Customized Permissive Types httpd_t Builtin Permissive Types sanlk_resetd_t hsqldb_t systemd_hwdb_t blkmapd_t ipmievd_t
To delete a permissive type we just created, we use the -d option.
# semanage permissive -d httpd_t libsemanage.semanage_direct_remove_key: Removing last permissive_httpd_t module (no other permissive_httpd_t module exists at another priority).
In this article, we saw how to list, add and delete ports using the semanage tool for RPM-based Linux distributions. If your system has a GUI, you can install the policycoreutils-gui package via yum and then run system-config-selinux command to open the GUI version and configure SELinux port types from the Network Port menu.
Comments