SELinux – Common SELinux network service related problems

SELinux has it’s own internal database that stores information about most commonly used network based software packages, e.g. ssh, apache, nfs,….etc. As a result it knows what default (aka standard) ports these service listen on (e.g. port 80 and 443 for apache) and where the default directories are located (e.g. /var/www/html for apache). Therefore for network based services like httpd, SELinux may prevent it from working properly if configure your software to use a:

  • non-standard directory – e.g. for apache you set the data folder to be /var/www/my-website instead of the standard /var/www/html directory
  • non-standard port number – e.g. for apache you set the default port number to be 8102 instead of default port number of port 80 or 443.

Identifying standard ports

There’s two places to find this:

$ cat /etc/services

This file is just for information. As for the which ports selinux will allow apache to listen on, we can find this by running:

and also like this:

$ semanage port -l | grep http
http_cache_port_t              tcp      8080, 8118, 8123, 10001-10010
http_cache_port_t              udp      3130
http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t            tcp      5988
pegasus_https_port_t           tcp      5989

In these scenarios, you need to inform SELinux that you want to use custom port number and directories. You do that by adding policy rules. For custom port numbers, you will need to run a command like this:

$ semanage -port -a -t http_port_t -p tcp {custom port number}

Note: sealert should be able to suggest this.