user guide draft: "Port Numbers"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I renamed "Booleans for Confined Services" to "How are Confined Services Running?", and added a little about port numbers: 

[introduction]
Services can be run in a variety of ways. To cater for this, you must tell SELinux how you are running services. This can be achieved via Booleans that allow parts of SELinux policy to be changed at runtime, without any knowledge of SELinux policy writing. This allows changes, such as allowing services access to NFS file systems, without reloading or recompiling SELinux policy. Also, running services on non-default port numbers requires policy configuration to be updated via the semanage command. 

...

Port Numbers
Depending on policy configuration, services may only be allowed to run on certain port numbers. Attempting to change which port a servers runs on without changing policy may result in the service failing to start. For example, run the semanage port -l | grep http command to list http related ports: 

[example output]
The http_port_t port type defines which ports the Apache HTTP Server can listen on, which in this case, are TCP ports 80, 443, 488, 8008, 8009, and 8443. If an administrator configures httpd.conf so that httpd listens on port 9876 (Listen 9876), but policy is not updated to reflect this, the service httpd start command fails: 

[example output]
An SELinux denial similar to the following is logged to /var/log/audit/audit.log: 

[example output]
To allow httpd to listen on a port that is not listed for the http_port_t port type, run the semanage port command to add it to policy configuration[1]: 

# /usr/sbin/semanage port -a -t http_port_t -p tcp 9876
The -a option adds a new record; the -t option defines a type; and the -p option defines a protocol. The last argument is the port number to add. 

Thanks!
[1] The semanage port -a command adds an entry to the /etc/selinux/targeted/modules/active/ports.local file. Note: by default, this file can only be viewed by the Linux root user. 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux