How to Manage SELinux Port Labeling

Selinux Port Labeling

SELinux does more than just ﬁle and process labeling. Network trafﬁc is also tightly enforced by the SELinux policy. One of the methods that SELinux uses for controlling network trafﬁc is labeling network ports; for example, in the targeted policy, port 22/TCP has the label ssh_port_t associated with it.

Whenever a process wants to listen on a port, SELinux will check to see if the label associated with that process (the domain) is allowed to bind that port label. This can stop a rogue service from taking over ports otherwise used by other (legitimate) network services.

Managing Selinux Port Labeling

Whenever an administrator decides to run a service on a nonstandard port, there is a high chance that SELinux port labels will need to be updated. In some cases, the targeted policy has already labeled the port with a type that can be used; for example, since port 8008/TCP is often used for web applications, that port is already labeled with http_port_t, the default port type for the webserver.

Listing port labels

To get an overview of all the current port label assignments, administrators can use the port subcommand of the semanage command. The -l option will list all current assignments, in the form:

port_label_t     tcp|udp    comma,separated,list,of,ports

To only view local changes to the default policy, administrators can add the -C option to this command. Example output:

# semanage port -l
...
http_cache_port_t       tcp   8080, 8118, 8123, 10001-10010
http_cache_port_t       udp   3130
http_port_t             tcp   80, 81, 443, 488, 8008, 8009, 8443, 9000
...

Note that a port label can appear twice in the output, once for TCP and once for UDP.

NOTE: A graphical tool, system-config-selinux, is also available for administrators who prefer to work with GUI tools. This tool is part of the policycoreutils-gui package.

Managing port labels

semanage can also be used to assign new port labels, remove port labels, or modify existing ones.

Note: Only local modiﬁcations can be removed or modiﬁed. To allow a service to bind to a port label normally associated with another service, a small policy module must be written. Writing and generating policy modules falls outside the scope of this course. It is also not possible to remove a port label from the policy without overriding the policy module that provided that label.

To add a port to an existing port label (type), use the following syntax:

# semanage port -a -t port_label -p tcp|udp PORTNUMBE

For example, to allow a gopher service to listen on port 71/TCP:

# semanage port -a -t gopher_port_t -p tcp 71

NOTE The targeted policy ships with a large number of port types. Per-service documentation on SELinux types, Booleans, and port types can be found in the service-speciﬁc SELinux man pages found in the selinux-policy-devel package.

If these man pages are not yet installed on your system, follow this procedure:

# yum -y install selinux-policy-devel
# mandb
# man -k _selinux

Removing port labels

The syntax for removing a custom port label is the same as the syntax for adding a port label, but instead of using the -a option (for Add), the -d option (for Delete) is used. For example, to remove the binding of port 71/TCP to gopher_port_t:

# semanage port -d -t gopher_port_t -p tcp 71

Modifying port bindings

If an administrator has accidentally assigned the wrong type to a port, or requirements have changed, it’s possible to modify the label associated with a port. This is a more efﬁcient process than removing the old binding and adding a new one. Modiﬁcations require the -m option. For example, to modify port 71/TCP from gopher_port_t to http_port_t, an administrator can use the following command:

# semanage port -m -t http_port_t -p tcp 71