How to Manage SELinux Port Labeling

Selinux Port Labeling

SELinux does more than just file and process labeling. Network traffic is also tightly enforced by the SELinux policy. One of the methods that SELinux uses for controlling network traffic is labeling network ports; for example, in the targeted policy, port 22/TCP has the label ssh_port_t associated with it.

Whenever a process wants to listen on a port, SELinux will check to see if the label associated with that process (the domain) is allowed to bind that port label. This can stop a rogue service from taking over ports otherwise used by other (legitimate) network services.

Managing Selinux Port Labeling

Whenever an administrator decides to run a service on a nonstandard port, there is a high chance that SELinux port labels will need to be updated. In some cases, the targeted policy has already labeled the port with a type that can be used; for example, since port 8008/TCP is often used for web applications, that port is already labeled with http_port_t, the default port type for the webserver.

Listing port labels

To get an overview of all the current port label assignments, administrators can use the port subcommand of the semanage command. The -l option will list all current assignments, in the form:

port_label_t     tcp|udp    comma,separated,list,of,ports

To only view local changes to the default policy, administrators can add the -C option to this command. Example output:

# semanage port -l
http_cache_port_t       tcp   8080, 8118, 8123, 10001-10010
http_cache_port_t       udp   3130
http_port_t             tcp   80, 81, 443, 488, 8008, 8009, 8443, 9000

Note that a port label can appear twice in the output, once for TCP and once for UDP.

Managing port labels

semanage can also be used to assign new port labels, remove port labels, or modify existing ones.

To add a port to an existing port label (type), use the following syntax:

# semanage port -a -t port_label -p tcp|udp PORTNUMBE

For example, to allow a gopher service to listen on port 71/TCP:

# semanage port -a -t gopher_port_t -p tcp 71

If these man pages are not yet installed on your system, follow this procedure:

# yum -y install selinux-policy-devel
# mandb
# man -k _selinux

Removing port labels

The syntax for removing a custom port label is the same as the syntax for adding a port label, but instead of using the -a option (for Add), the -d option (for Delete) is used. For example, to remove the binding of port 71/TCP to gopher_port_t:

# semanage port -d -t gopher_port_t -p tcp 71

Modifying port bindings

If an administrator has accidentally assigned the wrong type to a port, or requirements have changed, it’s possible to modify the label associated with a port. This is a more efficient process than removing the old binding and adding a new one. Modifications require the -m option. For example, to modify port 71/TCP from gopher_port_t to http_port_t, an administrator can use the following command:

# semanage port -m -t http_port_t -p tcp 71