Skip to content

Control SELinux Port Labeling

Objectives

  • Ensure network ports have the correct SELinux type for services to bind.

SELinux Port Labeling

  • SELinux labels network ports with contexts to control access.
  • Policies specify which ports services can use (e.g., SSH uses ssh_port_t for port 22).

Managing Port Labeling

  • Listing Ports: Use semanage port -l.
  • Adding Labels: semanage port -a -t type -p protocol port.
  • Deleting Labels: semanage port -d -t type -p protocol port.
  • Modifying Labels: semanage port -m -t new_type -p protocol port.

Example Commands

  • List ports: semanage port -l | grep ftp
  • Add label: semanage port -a -t gopher_port_t -p tcp 71
  • Modify label: semanage port -m -t http_port_t -p tcp 71

Questions and Answers

  1. What is the purpose of SELinux port labeling?

  2. To ensure that network ports are correctly labeled for services to bind to them securely.

  3. How does SELinux control network access using port labeling?

  4. SELinux labels network ports with contexts and includes rules in a service's targeted policy to control access.

  5. What command lists all current SELinux port label assignments?

  6. semanage port -l

  7. How can you filter SELinux port labels by service name?

  8. Use semanage port -l | grep service_name.

  9. What command adds a new port label in SELinux?

  10. semanage port -a -t port_label -p protocol port_number

  11. How do you remove an existing SELinux port label?

  12. semanage port -d -t port_label -p protocol port_number

  13. What is the command to modify an existing SELinux port label?

  14. semanage port -m -t new_port_label -p protocol port_number

  15. Explain the significance of the -t and -p options in the semanage port command.

  16. -t specifies the port type (label), and -p specifies the protocol (tcp or udp).

  17. What happens if a service tries to bind to a port not labeled with the correct SELinux type?

  18. SELinux will block the attempt, preventing the service from using the port.

  19. How can you view local changes to the default SELinux policy?

    • semanage port -l -C

  20. Why can't you change default port labels using the semanage command?

    • Default port labels are defined in the service's policy module and must be modified within that module.

  21. What are the steps to label a new port with an existing port context?

    • Use semanage port -a -t existing_port_label -p protocol port_number.

  22. How can you check if port 80 is labeled correctly for HTTP traffic?

    • semanage port -l | grep -w 80

  23. What SELinux port context label is used for the default SSH port?

    • ssh_port_t

  24. Describe the process for enabling a service to listen on a nonstandard port with SELinux.

    • Label the port with the correct type using semanage port -a -t service_port_label -p protocol port_number.

  25. How does SELinux prevent rogue services from taking over ports?

    • By ensuring only processes with the correct SELinux context can bind to specific labeled ports.

  26. Why might you need to modify port bindings in SELinux?

    • To accommodate services that need to use nonstandard ports or changes in network configurations.

  27. What command lists all port labels assigned to FTP services?

    • semanage port -l | grep ftp

  28. How do you ensure a web server can use port 8080 for HTTP traffic?

    • Label port 8080 with http_port_t using semanage port -a -t http_port_t -p tcp 8080.

  29. What is the role of service-specific SELinux man pages?

    • They provide detailed information on SELinux types, Booleans, and port types for specific services.