SELinux and Ports

Here is an example of how ports are controlled by SELinux.
Say that the port that apache uses was changed to 1000
when you start apache you get these errors

[root@server01 conf]# systemctl status httpd
httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Drop-In: /usr/lib/systemd/system/httpd.service.d
└─php-fpm.conf
Active: failed (Result: exit-code) since Tue 2019-10-29 19:34:11 AEDT; 5min ago
Docs: man:httpd.service(8)
Process: 26402 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
Main PID: 26402 (code=exited, status=1/FAILURE)
Status: "Reading configuration..."
Oct 29 19:34:11 server01 systemd[1]: Starting The Apache HTTP Server...
Oct 29 19:34:11 server01 httpd[26402]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.1.201. Set the 'ServerName' directive gl>
Oct 29 19:34:11 server01 httpd[26402]: (13)Permission denied: AH00072: make_sock: could not bind to address [::]:1000
Oct 29 19:34:11 server01 httpd[26402]: (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:1000
Oct 29 19:34:11 server01 httpd[26402]: no listening sockets available, shutting down
Oct 29 19:34:11 server01 httpd[26402]: AH00015: Unable to open logs
Oct 29 19:34:11 server01 systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Oct 29 19:34:11 server01 systemd[1]: httpd.service: Failed with result 'exit-code'.
Oct 29 19:34:11 server01 systemd[1]: Failed to start The Apache HTTP Server.

get a list of ports that http is allowed to use

[root@server01 conf]# semanage port -l | grep http
http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989

port 1000 is not on the list
So we need to add port 1000

[root@server01 conf]# semanage port -a -t http_port_t -p tcp 1000

check port 1000 was added ok

[root@server01 conf]# semanage port -l | grep http
http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
http_port_t tcp 1000, 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989

Then restart apache

[root@server01 conf]# systemctl start httpd
[root@server01 conf]# systemctl status httpd
httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Drop-In: /usr/lib/systemd/system/httpd.service.d
└─php-fpm.conf
Active: active (running) since Tue 2019-10-29 19:39:29 AEDT; 3s ago
Docs: man:httpd.service(8)
Main PID: 26435 (httpd)
Status: "Started, listening on: port 1000"
Tasks: 213 (limit: 23343)
Memory: 32.6M
CGroup: /system.slice/httpd.service
├─26435 /usr/sbin/httpd -DFOREGROUND
├─26436 /usr/sbin/httpd -DFOREGROUND
├─26437 /usr/sbin/httpd -DFOREGROUND
├─26438 /usr/sbin/httpd -DFOREGROUND
└─26439 /usr/sbin/httpd -DFOREGROUND


Oct 29 19:39:29 server01 systemd[1]: Starting The Apache HTTP Server...
Oct 29 19:39:29 server01 httpd[26435]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.1.201. Set the 'ServerName' directive gl>
Oct 29 19:39:29 server01 httpd[26435]: Server configured, listening on: port 1000
Oct 29 19:39:29 server01 systemd[1]: Started The Apache HTTP Server.


To undo the above steps, first get list of ports used by the http type

[root@server01 conf]# semanage port --list | grep http
http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
http_port_t tcp 1000, 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989

Then remove port 1000

[root@server01 conf]# semanage port -d -t http_port_t -p tcp 1000

list the ports again to make sure it was removed.

[root@server01 conf]# semanage port --list | grep http
http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989

SELinux and file contexts

apache root document folder was changed from normal folder to /repos folder
attempting to get index.html resutls in an error

[root@server01 repos]# curl localhost/index.html

Forbidden



You don't have permission to access /index.html
on this server.

set the correct context on the new folder

[root@server01 repos]# semanage fcontext -a -t httpd_sys_content_t "/repos(/.*)?"

check the context
[root@server01 repos]# ls -laZ
total 4
drwxr-s---. 2 root apache unconfined_u:object_r:default_t:s0 24 Oct 29 14:57 .
dr-xr-xr-x. 18 root root system_u:object_r:root_t:s0 237 Oct 29 14:56 ..
-rw-r--r--. 1 root apache unconfined_u:object_r:default_t:s0 6 Oct 29 14:57 index.html

it has not applied it, is has only made the change in the policy.
apply the new policy to the folder

[root@server01 repos]# restorecon -R -v /repos
Relabeled /repos from unconfined_u:object_r:default_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0
Relabeled /repos/index.html from unconfined_u:object_r:default_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0

check folder now has new permissions/context

[root@server01 repos]# ls -laZ
total 4
drwxr-s---. 2 root apache unconfined_u:object_r:httpd_sys_content_t:s0 24 Oct 29 14:57 .
dr-xr-xr-x. 18 root root system_u:object_r:root_t:s0 237 Oct 29 14:56 ..
-rw-r--r--. 1 root apache unconfined_u:object_r:httpd_sys_content_t:s0 6 Oct 29 14:57 index.html

test web page is accessable

[root@server01 repos]# curl localhost/index.html
hello

How to manually update Plex in a FreeNAS jail

Pre-Update Steps
Login to the servers as root

Download the update to the server

1) change to the plexmeduaserver directory

root@plex:/ # cd/usr/local/share/plexmediaserver

2) stop the plexmediaserver service

root@plex:/usr/local/share/plexmediaserver # service plexmediaserver stop
Stopping plexmediaserver.
Cleaning up leftover child processes.

3) Copy the plex update to the current directory

3) Unzip the Plex update (the exact name of the update will be slightly different to what is shown

root@plex:/usr/local/share/plexmediaserver # tar -zavf PlexMediaServer-1.16.6.1592-b9d49bdb7-FreeBSD-amd64.tar.bz2

4) Check it looks like it is suppose to (optional)

root@plex:/usr/local/share/plexmediaserver # ls PlexMediaServer-1.16.6.1592-b9d49bdb7
CrashUploader
Plex Commercial Skipper
Plex DLNA Server
Plex Media Fingerprinter
Plex Media Scanner
Plex Media Server
Plex Relay
Plex Script Host
Plex Transcoder
Plex Tuner Service
Resources
lib
start.sh

5) Copy everything from the newly created folder to the current folder (the exact name of the folder will be slightly different to what is shown)

root@plex:/usr/local/share/plexmediaserver # cp -r PlexMediaServer-1.16.6.1592-b9d49bdb7/* .

6) Start the service again

root@plex:/usr/local/share/plexmediaserver # service plexmediaserver start
Starting plexmediaserver.

7) Check the service status

root@plex:/usr/local/share/plexmediaserver # service plexmediaserver status
plexmediaserver is running as pid 5859.