selinux中设置端口上下文

目标

  使用selinux设置端口的上下文

实操演示

##使用semanage port -l查询端口的上下文
[root@sinfotek ~]# semanage port -l | grep 80
amanda_port_t                  tcp      10080-10083
amanda_port_t                  udp      10080-10082
conntrackd_port_t              udp      3780
cyphesis_port_t                tcp      6767, 6769, 6780-6799
geneve_port_t                  tcp      6080
hadoop_namenode_port_t         tcp      8020
hplip_port_t                   tcp      1782, 2207, 2208, 8290, 8292, 9100, 9101, 9102, 9220, 9221, 9222, 9280, 9281, 9282, 9290, 9291, 50000, 50002
http_cache_port_t              tcp      8080, 8118, 8123, 10001-10010
http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000
jabber_interserver_port_t      tcp      5269, 5280
jboss_management_port_t        tcp      4447, 4712, 7600, 9123, 9990, 9999, 18001
luci_port_t                    tcp      8084

##httpd服务添加一个端口8090
[root@sinfotek ~]# vim /etc/httpd/conf/httpd.conf 

ServerRoot "/etc/httpd"

#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to 
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 80
Listen 8090

##重启服务无法启动因为selinux上下文标签对于端口也有限制
[root@sinfotek ~]# systemctl restart httpd
Job for httpd.service failed because the control process exited with error code.
See "systemctl status httpd.service" and "journalctl -xe" for details.
[root@sinfotek ~]# semanage port -a -t http_port_t -p tcp 8090
[root@sinfotek ~]# semanage port -l |grep 8090
http_port_t                    tcp      8090, 80, 81, 443, 488, 8008, 8009, 8443, 9000
[root@sinfotek ~]# systemctl restart httpd
##给该端口添加上下文后即可正常使用。


##添加修改、删除端口上下文标签
[root@sinfotek ~]# semanage port -a -t http_port_t -p tcp 8090
[root@sinfotek ~]# semanage port -l |grep 8090
http_port_t                    tcp      8090, 80, 81, 443, 488, 8008, 8009, 8443, 9000
[root@sinfotek ~]# systemctl restart httpd
[root@sinfotek ~]# semanage port -m -t http_cache_port_t -p tcp 8090
[root@sinfotek ~]# semanage port -l |grep 8090
http_cache_port_t              tcp      8090, 8080, 8118, 8123, 10001-10010
[root@sinfotek ~]# semanage port -d -t http_cache_port_t -p tcp 8090
[root@sinfotek ~]# semanage port -l |grep 8090
文档更新时间: 2022-12-14 17:48   作者:xiubao yan