User: Password:
Subscribe / Log in / New account

SELinux and Fedora

SELinux and Fedora

Posted Jul 10, 2008 8:49 UTC (Thu) by k3ninho (subscriber, #50375)
In reply to: SELinux and Fedora by Mog
Parent article: SELinux and Fedora

I haven't tried the example set out at, but does appply to you and solve the problem?


(Log in to post comments)

SELinux and Fedora

Posted Jul 10, 2008 17:26 UTC (Thu) by dpquigl (guest, #52852) [Link]

The example will work and there is another example on Dan Walsh's blog about configuring httpd
to run on ports other than 80 which explains the core issue. 

Let's explain exactly what is going wrong here. In SELinux the application's behavior is
described with a set of rules. SELinux goes beyond the everything is a file mentality and it
also labels other objects such as pipes, directories, symlinks, and sockets. This means that
each socket has a label. The policy for sshd says sockets that sshd is going to use are
labeled ssh_port_t. If you want a list of the ports and how they are labeled you can type
/usr/sbin/semanage port -l . This will show you all of the ports that are labeled and what
they are labeled with. So let's say you moved the port for mysql. You can check what type
mysql uses by typing /usr/sbin/semanage port -l | grep mysql . You will get the line below on
a standard f9 box.

mysqld_port_t   tcp   1186, 3306, 63132-63136

You can usually use this method to find out the type for any confined network daemon. Now
let's say we changed mysqld to be on port 1187 instead of 1186. The problem here is that the
policy says that mysqld can only talk on ports labeled mysqld_port_t. If a port isn't in this
list is labeled in two ways by default reserved_t for < 1024 and unlabeled_t for > 1024 so
what happens here is mysqld would try to type to a port that is labeled unlabeled_t which it
can't do. To fix this we have to say that 1187 is labeled as mysqld_port_t which is easy to do
using the semanage command. 

/usr/sbin/semanage port -a -p tcp -t mysqld_port_t 1187

You can use this method for any confined application. The idea to take from this is an
application can only talk on ports labeled with a type it has access to. To make it use a
non-standard port you have to apply the right label to the port. You can usually find it by
looking through the output of semanage port -l and once you find it you can easily add it with
semanage port -a -p <proto> -t <type> port

I hope you found this useful. Eventually this information with a bunch of other SELinux
tutorial materials will make its way to

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds