video on demandPorts and SELINUX example.
We want our webserver to listen to a non default port.
1. Configure httpd to listen to a non default port - say 8999.
After a default install of httpd port 80 is the port that httpd listens to.
Change the port in /etc/httpd/conf/httpd.conf
[root@lin70 /]# sed -i -e 's/Listen 80/Listen 8999/' /etc/httpd/conf/httpd.conf
2. In another shell follow the audit.log file.
[root@lin70 /]# tail -f /var/log/audit/audit.log
3. Restart httpd and view the error message in the audit.log file
[root@lin70 /]# systemctl restart httpd
(audit.log)
avc: denied { name_bind } for pid=17010 comm="httpd" src=8999
4. What are the ports that httpd is allowed to listen to?
[root@lin70 /]# semanage port -l |grep ^http_port_t
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
5. Add port 8999 to the list of ports for httpd and check.
[root@lin70 /]# semanage port -a -t http_port_t -p tcp 8999
6. Restart httpd.
[root@lin70 /]# systemctl restart httpd
[root@lin70 /]# semanage port -l |grep ^http_port_t
http_port_t tcp 8999, 80, 81, 443, 488, 8008, 8009, 8443, 9000
done.