By default, web servers listen on the known web server ports (such as ports 80
and 443
). Often, administrators might want to have the web server listen on a nondefault port. The SELinux policy might reject this, as it is not standard behavior for a web server to listen on other unrelated ports.
In this recipe, we will tell SELinux that a nondefault port should still be seen as a web server port.
In order to assign a label to a different port, execute the following steps:
To see all the ports that match
http_port_t
, usesemanage port -l
:~# semanage port -l | grep -w http_port_t http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
Query the SELinux policy to see which port type is assigned to a particular port. For instance, for port
8881
, the following command is used:~$ seinfo --portcon=8881
If the port is identified as
unreserved_port_t
, then we can mark it ashttp_port_t
:~# semanage port -a -t http_port_t -p tcp 8881
If, however, the...