The example will work and there is another example on Dan Walsh's blog about configuring httpd to run on ports other than 80 which explains the core issue. Let's explain exactly what is going wrong here. In SELinux the application's behavior is described with a set of rules. SELinux goes beyond the everything is a file mentality and it also labels other objects such as pipes, directories, symlinks, and sockets. This means that each socket has a label. The policy for sshd says sockets that sshd is going to use are labeled ssh_port_t. If you want a list of the ports and how they are labeled you can type /usr/sbin/semanage port -l . This will show you all of the ports that are labeled and what they are labeled with. So let's say you moved the port for mysql. You can check what type mysql uses by typing /usr/sbin/semanage port -l | grep mysql . You will get the line below on a standard f9 box. mysqld_port_t tcp 1186, 3306, 63132-63136 You can usually use this method to find out the type for any confined network daemon. Now let's say we changed mysqld to be on port 1187 instead of 1186. The problem here is that the policy says that mysqld can only talk on ports labeled mysqld_port_t. If a port isn't in this list is labeled in two ways by default reserved_t for < 1024 and unlabeled_t for > 1024 so what happens here is mysqld would try to type to a port that is labeled unlabeled_t which it can't do. To fix this we have to say that 1187 is labeled as mysqld_port_t which is easy to do using the semanage command. /usr/sbin/semanage port -a -p tcp -t mysqld_port_t 1187 You can use this method for any confined application. The idea to take from this is an application can only talk on ports labeled with a type it has access to. To make it use a non-standard port you have to apply the right label to the port. You can usually find it by looking through the output of semanage port -l and once you find it you can easily add it with semanage port -a -p <proto> -t <type> port I hope you found this useful. Eventually this information with a bunch of other SELinux tutorial materials will make its way to selinuxproject.org
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds