How to allow a non-standard ports in SELinux?

In this article, you will learn about how to allow a non-standard port in selinux?

The SELinux stands for Security-Enhanced Linux.

If you are using the SELinux policy then the service will only run on a restricted list of predefined ports. If you want to access any non-standard port then you have to first allow in SELInux. Many administrators disable the SELinux, but this is not the right choice. It takes some time while you are configuring it but, it is worth it in the perspective of security.

For instance, The default port of the sshd service is port 22. If you want to allow any other port for sshd, then you have to follow a specific procedure to change the SELinux policy.

Preconditions

  • You must log-in with a root user or a user with sudo privilege to make the changes.
  • I have tested this policy on CentOS/RHEL 7 and 8

Managing the SELinux Policy

If you want to manage the SELinux policy, then we have to install some packages so that we can handle it.

So, to use the semanage command, you have to install package setroubleshoot-server, and to get sepolicy command, we have to install package selinux-policy-devel. So let’s first install these packages using the below commands.

yum install -y setroubleshoot-server selinux-policy-devel

For example, I’m going to talk about the sshd service. I have an ssh server and now I’m changing the port of the sshd service. The predefined port is 22 and I want to use 8012. But, you can change the port number as per your requirement. After that, you can follow the below steps.

If you want to check the list of all restricted ports by the SELinux service, you can use the below command.

semanage port -l

And, to get the list of the known port used by the sshd service the following command will help.

semanage port -l | grep -w ssh_port_t
selinux current port
Checking the current port using semanage command

Now I’m going to check if port 8012 is already in use or not,

sepolicy network -p 8012
selinux standard port check
Checking the non-standard port if it is available or not using sepolicy command

And as you can see that this port 8012 is not in use. So, allow the sshd service to run on the port 8012 tcp port, you can use the below command.

semanage port -a -t ssh_port_t -p tcp 8012

Here,-a To add this port,

Note: If you want to remove a port then type -d  instead of -a look like below.

semanage port -d -t ssh_port_t -p tcp 8012

If you want to remove the non-standard port then use the above command.

Here, Now we can check the status for this port 8012,

semanage port -l | grep -w ssh_port_t
sepolicy network -p 8012
selinux port check
Confirming the new non-standard port.

Conclusion

In this tutorial, you learned about how to change the standard port in SELinux. I hope, you understand but if you have any questions, you can ask in the comment section.

Also, you can read a blog about SELinux How to set up SELinux right, the first time

Leave a Reply

Your email address will not be published.