semanage-port

List all port labeling rules

$ sudo semanage port [[-l|--list]]

$ sudo semanage port [[-l|--list]] [[-C|--locallist]] [[-n|--noheading]]

$ sudo semanage port [[-a|--add]] [[-t|--type]] [ssh_port_t] [[-p|--proto]] [tcp] [22000]

$ sudo semanage port [[-a|--add]] [[-t|--type]] [http_port_t] [[-p|--proto]] [tcp] [80-88]

$ sudo semanage port [[-d|--delete]] [[-p|--proto]] [udp] [11940]

Adding/Modifying/Deleting:
semanage port { -a | --add | -d | --delete | -m | --modify } -t TYPE -p { tcp | udp | sctp | dccp } PORT_OR_RANGE

Listing:
semanage port -l | --list [-t TYPE] [-p { tcp | udp | sctp | dccp }]

-a, --add
    Adds a new port definition to the SELinux policy. This maps a specific port or range to an SELinux type.

-d, --delete
    Deletes an existing port definition from the SELinux policy. This removes a previously defined port-to-type mapping.

-m, --modify
    Modifies an existing port definition. Typically used to change the SELinux type associated with a port or range without deleting and re-adding.

-l, --list
    Lists all currently defined SELinux port type mappings. Can be filtered by type or protocol.

-t TYPE, --type=TYPE
    Specifies the SELinux type to be associated with the port(s). This is a mandatory option for add, delete, and modify operations.

-p PROTOCOL, --proto=PROTOCOL
    Specifies the network protocol for the port definition. Valid options are tcp, udp, sctp, or dccp. This is a mandatory option.

PORT_OR_RANGE
    The specific port number (e.g., 80) or a range of ports (e.g., 1024-2048) to be managed. This is required for add, delete, and modify operations.

The semanage-port command, a subcommand of semanage, is used to manage SELinux port type definitions. SELinux (Security-Enhanced Linux) is a mandatory access control (MAC) system that restricts processes and files based on security labels, enhancing system security beyond traditional Unix permissions.

For a network service to successfully bind to a specific port, SELinux requires that port to have an appropriate SELinux type label. For example, the standard HTTP port 80 is typically labeled with http_port_t. If a web server attempts to listen on port 8080, and 8080 is not assigned the http_port_t type, SELinux will deny the binding, even if traditional file permissions allow it. The semanage-port command enables administrators to add, delete, modify, or list these port-to-type mappings.

Changes made with semanage-port are persistent. They are written to the SELinux policy store and survive system reboots, ensuring that custom port configurations are maintained. This tool is crucial for integrating custom applications or running standard services on non-standard ports within an SELinux-enforced environment, preventing permission denied errors and ensuring proper system operation while maintaining a strong security posture.

Incorrectly adding or modifying port definitions can lead to services failing to start or being inaccessible due to SELinux denials. Always ensure the correct SELinux type is used for the service. After making changes, it's advisable to verify them using semanage port -l. If services fail, check /var/log/audit/audit.log for AVC denials and use tools like sealert for analysis.

Unlike temporary changes made with commands like chcon for file contexts, modifications made with semanage port are stored persistently in the SELinux policy store. This means the changes will survive system reboots and apply automatically.

If a service fails to bind to a port after SELinux is enforced, it's highly probable that SELinux is denying the action. The /var/log/audit/audit.log file will contain AVC (Access Vector Cache) messages detailing the denial. Tools like sealert -a /var/log/audit/audit.log can interpret these logs and suggest remedies, often including the necessary semanage port command.

The semanage utility, including its port subcommand, was developed as part of the broader SELinux project to provide a consistent and powerful interface for managing SELinux policy components. It largely superseded older, less comprehensive tools like seport, providing a more robust and integrated way to configure persistent SELinux policies, including network port types. Its development is intertwined with the evolution of SELinux itself, becoming a core component of SELinux administration on modern Linux distributions.

semanage(8), sepolicy(8), restorecon(8), audit2allow(8), sealert(8), auditd(8)