MalcolmChalmers

SELinux and Ports

Here is an example of how ports are controlled by SELinux.
Say that the port that apache uses was changed to 1000
when you start apache you get these errors

[root@server01 conf]# systemctl status httpd
httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Drop-In: /usr/lib/systemd/system/httpd.service.d
└─php-fpm.conf
Active: failed (Result: exit-code) since Tue 2019-10-29 19:34:11 AEDT; 5min ago
Docs: man:httpd.service(8)
Process: 26402 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
Main PID: 26402 (code=exited, status=1/FAILURE)
Status: "Reading configuration..."
Oct 29 19:34:11 server01 systemd[1]: Starting The Apache HTTP Server...
Oct 29 19:34:11 server01 httpd[26402]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.1.201. Set the 'ServerName' directive gl>
Oct 29 19:34:11 server01 httpd[26402]: (13)Permission denied: AH00072: make_sock: could not bind to address [::]:1000
Oct 29 19:34:11 server01 httpd[26402]: (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:1000
Oct 29 19:34:11 server01 httpd[26402]: no listening sockets available, shutting down
Oct 29 19:34:11 server01 httpd[26402]: AH00015: Unable to open logs
Oct 29 19:34:11 server01 systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Oct 29 19:34:11 server01 systemd[1]: httpd.service: Failed with result 'exit-code'.
Oct 29 19:34:11 server01 systemd[1]: Failed to start The Apache HTTP Server.

get a list of ports that http is allowed to use

[root@server01 conf]# semanage port -l | grep http
http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989

port 1000 is not on the list
So we need to add port 1000

[root@server01 conf]# semanage port -a -t http_port_t -p tcp 1000

check port 1000 was added ok

[root@server01 conf]# semanage port -l | grep http
http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
http_port_t tcp 1000, 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989

Then restart apache

[root@server01 conf]# systemctl start httpd
[root@server01 conf]# systemctl status httpd
httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Drop-In: /usr/lib/systemd/system/httpd.service.d
└─php-fpm.conf
Active: active (running) since Tue 2019-10-29 19:39:29 AEDT; 3s ago
Docs: man:httpd.service(8)
Main PID: 26435 (httpd)
Status: "Started, listening on: port 1000"
Tasks: 213 (limit: 23343)
Memory: 32.6M
CGroup: /system.slice/httpd.service
├─26435 /usr/sbin/httpd -DFOREGROUND
├─26436 /usr/sbin/httpd -DFOREGROUND
├─26437 /usr/sbin/httpd -DFOREGROUND
├─26438 /usr/sbin/httpd -DFOREGROUND
└─26439 /usr/sbin/httpd -DFOREGROUND

Oct 29 19:39:29 server01 systemd[1]: Starting The Apache HTTP Server...
Oct 29 19:39:29 server01 httpd[26435]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.1.201. Set the 'ServerName' directive gl>
Oct 29 19:39:29 server01 httpd[26435]: Server configured, listening on: port 1000
Oct 29 19:39:29 server01 systemd[1]: Started The Apache HTTP Server.

To undo the above steps, first get list of ports used by the http type

[root@server01 conf]# semanage port --list | grep http
http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
http_port_t tcp 1000, 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989

Then remove port 1000

[root@server01 conf]# semanage port -d -t http_port_t -p tcp 1000

list the ports again to make sure it was removed.

[root@server01 conf]# semanage port --list | grep http
http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989

Posted

in

,

by

malcolm

Tags:

,

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *