Lesson 9.7: Manage SELinux port labels
Configuring Apache Web Server running in non default ports
# Http port default is 80 [root@server ~]# netstat -tnl | grep 80 tcp6 0 0 :::80 :::* LISTEN # Modifing the port from 80 to 8098 [root@server ~]# vi /etc/httpd/conf/httpd.conf Listen 8098 # If the SElinux is in enforcing state then, if port is changed, then the information should be passed to SELInux. # Else the httpd service will not start and fail [root@server ~]# getenforce Enforcing [root@server ~]# systemctl restart httpd Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xeu httpd.service" for details. [root@server ~]# systemctl status httpd × httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; preset: disabled) Active: failed (Result: exit-code) since Mon 2024-09-30 10:40:09 +0545; 10s ago Duration: 26min 34.052s Docs: man:httpd.service(8) Process: 5296 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE) Main PID: 5296 (code=exited, status=1/FAILURE) Status: "Reading configuration..." CPU: 29ms Sep 30 10:39:41 server systemd[1]: Starting The Apache HTTP Server... Sep 30 10:40:09 server httpd[5296]: AH00558: httpd: Could not reliably determine the server's fully quali> Sep 30 10:40:09 server httpd[5296]: (13)Permission denied: AH00072: make_sock: could not bind to address > Sep 30 10:40:09 server httpd[5296]: (13)Permission denied: AH00072: make_sock: could not bind to address > Sep 30 10:40:09 server httpd[5296]: no listening sockets available, shutting down Sep 30 10:40:09 server httpd[5296]: AH00015: Unable to open logs Sep 30 10:40:09 server systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE Sep 30 10:40:09 server systemd[1]: httpd.service: Failed with result 'exit-code'. Sep 30 10:40:09 server systemd[1]: Failed to start The Apache HTTP Server.' # A Reference of the code is shown in this file /etc/ssh/sshd_config # If you want to change the port on a SELinux system, you have to tell SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER [root@server ssh]# semanage port -a -t http_port_t -p tcp 8098 # Now the service will run [root@server ssh]# systemctl restart httpd [root@server ssh]# systemctl status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; preset: disabled) Active: active (running) since Mon 2024-09-30 10:48:23 +0545; 19s ago Docs: man:httpd.service(8) Main PID: 5673 (httpd) Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec: 0 B/sec" Tasks: 177 (limit: 22585) Memory: 25.2M CPU: 173ms CGroup: /system.slice/httpd.service ├─5673 /usr/sbin/httpd -DFOREGROUND ├─5686 /usr/sbin/httpd -DFOREGROUND ├─5687 /usr/sbin/httpd -DFOREGROUND ├─5691 /usr/sbin/httpd -DFOREGROUND └─5692 /usr/sbin/httpd -DFOREGROUND Sep 30 10:47:27 server systemd[1]: Starting The Apache HTTP Server... Sep 30 10:47:55 server httpd[5673]: AH00558: httpd: Could not reliably determine the server's fully quali> Sep 30 10:48:23 server httpd[5673]: Server configured, listening on: port 8098 Sep 30 10:48:23 server systemd[1]: Started The Apache HTTP Server.' # Allow the port permanently in firewall [root@server ssh]# firewall-cmd --permanent --add-port=8098/tcp success [root@server ssh]# firewall-cmd --reload success [root@server ssh]# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: ens160 sources: services: cockpit dhcpv6-client http mountd nfs rpc-bind ssh ports: 8098/tcp protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
To delete a port from SELinux
[root@server ssh]# semanage port -d -t http_port_t -p tcp 8098