How to Use Semanage Command for SELinux Policy

Semanage is a tool used to configure certain elements of SELinux policy without modifying or recompiling policy sources. This includes mapping Linux usernames to SELinux user identities and security context mappings for objects like network ports, interfaces, and hosts.

By default, SELinux only allows known services to bind to known ports. If we want to modify a service to use a non-default port we will need to modify the port type with the semanage command.

In this article, we will explore the semanage command and learn how to list, create/add and delete port types on RPM-based distributions like CentOS and RedHat.

Listing Ports with Semanage

The basic command for listing all ports is

# semanage port -l
SELinux Port Type              Proto    Port Number

afs3_callback_port_t           tcp      7001
afs3_callback_port_t           udp      7001
afs_bos_port_t                 udp      7007
afs_fs_port_t                  tcp      2040
afs_fs_port_t                  udp      7000, 7005
afs_ka_port_t                  udp      7004
afs_pt_port_t                  tcp      7002
afs_pt_port_t                  udp      7002
...

To list port numbers of a specific port like http, use this command:

# semanage port -l | grep -w http_port_t

http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000

Similarly for mysqld

# semanage port -l | grep -w mysqld_port_t
mysqld_port_t                  tcp      1186, 3306, 63132-63164

To find port names with a specific port number in it, use this command:

# semanage port -l | grep 53
apertus_ldp_port_t             tcp      539
apertus_ldp_port_t             udp      539
dns_port_t                     tcp      53
dns_port_t                     udp      53

Creating or Adding Ports with Semanage

In this example, we will create a new port for http and assign it to tcp port 2222. The -a option is to add a new port, the -t option specifies the SELinux type, and the -p option is to specify the protocol to use (in this case tcp).

# semanage port -a -t http_port_t -p tcp 2222

to view the newly created port, we use the command list command with the -C option to show only customizations.

# semanage port -lC

SELinux Port Type Proto Port Number

http_port_t                    tcp      2222

To assign a range of ports numbers to a specific port, use the command:

# semanage port -a -t http_port_t -p tcp 2223-2225

Now, we can see the port range here.

# semanage port -lC
SELinux Port Type              Proto    Port Number

http_port_t                    tcp      2223-2225

If you try to add another entry with the same values like you used before, you get the error:

ValueError: Port tcp/2222 already defined

To override an existing port that was already created, use the -m option to modify:

# semanage port -m -t unreserved_port_t -p tcp 2222

Now if we list all ports we will see the change.

# semanage port -lC
SELinux Port Type              Proto    Port Number

unreserved_port_t              tcp      2222

Deleting Ports with Semanage

We use the option -d to delete a port record. To delete unreserved_port_t on tcp port 2222, we use the command:

# semanage port -d -t unreserved_port_t -p tcp 2222

To delete a range of ports, use the command:

# semanage port -d -t http_port_t -p tcp 2223-2225

If you run the customized list command and it returns nothing, then the entry has been removed.

Using Semanage-Permmissive

Semanage permissive is used to add or remove SELinux Policy permissive modules.

To list all permissive modules, use the -l option:

# semanage permissive -l

Customized Permissive Types


Builtin Permissive Types

sanlk_resetd_t
hsqldb_t
systemd_hwdb_t
blkmapd_t
ipmievd_t
targetd_t

To create httpd_t a permissive domain, use the -a option:

# semanage permissive -a httpd_t

Now, let's check all permissive modules:

# semanage permissive -l

Customized Permissive Types

httpd_t

Builtin Permissive Types

sanlk_resetd_t
hsqldb_t
systemd_hwdb_t
blkmapd_t
ipmievd_t

To delete a permissive type we just created, we use the -d option.

# semanage permissive -d httpd_t

libsemanage.semanage_direct_remove_key: Removing last permissive_httpd_t module (no other permissive_httpd_t module exists at another priority).

In this article, we saw how to list, add and delete ports using the semanage tool for RPM-based Linux distributions. If your system has a GUI, you can install the policycoreutils-gui package via yum and then run system-config-selinux command to open the GUI version and configure SELinux port types from the Network Port menu.

Eyram Amedzor 12:05 am

About Eyram Amedzor

Kwaku Eyram has been a working with computers and software for more than 10 years. He’s an all-round geek and very fluid with Linux, Android and Windows operating systems. Asides being a tech enthusiast, Kwaku doubles as a tech support personnel and a tech writer. He currently has interest in IoT, web development and information security.

Author Archive Page

Have anything to say?

Your email address will not be published. Required fields are marked *

All comments are subject to moderation.