Lesson 9.7: Manage SELinux port labels
Configuring Apache Web Server running in non default ports
# Http port default is 80
[root@server ~]# netstat -tnl | grep 80
tcp6 0 0 :::80 :::* LISTEN
# Modifing the port from 80 to 8098
[root@server ~]# vi /etc/httpd/conf/httpd.conf
Listen 8098
# If the SElinux is in enforcing state then, if port is changed, then the information should be passed to SELInux.
# Else the httpd service will not start and fail
[root@server ~]# getenforce
Enforcing
[root@server ~]# systemctl restart httpd
Job for httpd.service failed because the control process exited with error code.
See "systemctl status httpd.service" and "journalctl -xeu httpd.service" for details.
[root@server ~]# systemctl status httpd
× httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; preset: disabled)
Active: failed (Result: exit-code) since Mon 2024-09-30 10:40:09 +0545; 10s ago
Duration: 26min 34.052s
Docs: man:httpd.service(8)
Process: 5296 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
Main PID: 5296 (code=exited, status=1/FAILURE)
Status: "Reading configuration..."
CPU: 29ms
Sep 30 10:39:41 server systemd[1]: Starting The Apache HTTP Server...
Sep 30 10:40:09 server httpd[5296]: AH00558: httpd: Could not reliably determine the server's fully quali>
Sep 30 10:40:09 server httpd[5296]: (13)Permission denied: AH00072: make_sock: could not bind to address >
Sep 30 10:40:09 server httpd[5296]: (13)Permission denied: AH00072: make_sock: could not bind to address >
Sep 30 10:40:09 server httpd[5296]: no listening sockets available, shutting down
Sep 30 10:40:09 server httpd[5296]: AH00015: Unable to open logs
Sep 30 10:40:09 server systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Sep 30 10:40:09 server systemd[1]: httpd.service: Failed with result 'exit-code'.
Sep 30 10:40:09 server systemd[1]: Failed to start The Apache HTTP Server.'
# A Reference of the code is shown in this file /etc/ssh/sshd_config
# If you want to change the port on a SELinux system, you have to tell SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
[root@server ssh]# semanage port -a -t http_port_t -p tcp 8098
# Now the service will run
[root@server ssh]# systemctl restart httpd
[root@server ssh]# systemctl status httpd
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; preset: disabled)
Active: active (running) since Mon 2024-09-30 10:48:23 +0545; 19s ago
Docs: man:httpd.service(8)
Main PID: 5673 (httpd)
Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec: 0 B/sec"
Tasks: 177 (limit: 22585)
Memory: 25.2M
CPU: 173ms
CGroup: /system.slice/httpd.service
├─5673 /usr/sbin/httpd -DFOREGROUND
├─5686 /usr/sbin/httpd -DFOREGROUND
├─5687 /usr/sbin/httpd -DFOREGROUND
├─5691 /usr/sbin/httpd -DFOREGROUND
└─5692 /usr/sbin/httpd -DFOREGROUND
Sep 30 10:47:27 server systemd[1]: Starting The Apache HTTP Server...
Sep 30 10:47:55 server httpd[5673]: AH00558: httpd: Could not reliably determine the server's fully quali>
Sep 30 10:48:23 server httpd[5673]: Server configured, listening on: port 8098
Sep 30 10:48:23 server systemd[1]: Started The Apache HTTP Server.'
# Allow the port permanently in firewall
[root@server ssh]# firewall-cmd --permanent --add-port=8098/tcp
success
[root@server ssh]# firewall-cmd --reload
success
[root@server ssh]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens160
sources:
services: cockpit dhcpv6-client http mountd nfs rpc-bind ssh
ports: 8098/tcp
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
To delete a port from SELinux
[root@server ssh]# semanage port -d -t http_port_t -p tcp 8098