=====Control SELinux Port Labeling=====

====SELinux Port Labeling====
In addition to file context and process type labeling, SELinux labels network ports with an SELinux context. SELinux controls network access by labeling the network ports and including rules in a service's targeted policy. For example, the SSH targeted policy includes the 22/TCP port with an ssh_port_t port context label. In the HTTP policy, the default 80/TCP and 443/TCP ports use an http_port_t port context label.

When a targeted process attempts to open a port for listening, SELinux verifies that the policy includes entries that enable the binding of the process and the context. SElinux can then block a rogue service from taking over ports that other legitimate network services use.

Typically, the targeted policy already labeled all expected ports with the correct type. For example, because port 8008/TCP is often used for web applications, that port is already labeled with http_port_t, which is the default port type that a web server uses. Individual ports can be labeled with only one port context.

====List Port Laberls====

Use grep commands to get a list of the ports used by a service

<code> grep gopher /etc/services </code>

Then use **semanage** to get list of selinux label

<code> semanage port -l | grep ftp 
ftp_data_port_t                tcp      20
ftp_port_t                     tcp      21, 989, 990
ftp_port_t                     udp      989, 990
tftp_port_t                    udp      69 </code>

Use the semanage command to assign new port labels, remove port labels, and modify existing ones.

You can label a new port with an existing port context label (type). The semanage port command's -a option adds a new port label; the -t option denotes the type; and the -p option denotes the protocol.

<code>[root@host ~]# semanage port -a -t port_label -p tcp|udp PORTNUMBER </code>

 example, enable the gopher service to listen on the 71/TCP port:
<code>[root@host~]# semanage port -a -t gopher_port_t -p tcp 71 </code>

To see changes done to default policy use 

<code>semanage -p port -l -C </code>

Service-specific SELinux man pages are named by using the service name plus _selinux. These man pages include service-specific information on SELinux types, Booleans, and port types, and are not installed by default. To view a list of all of the available SELinux man pages, install the package and then run a man -k keyword search for the _selinux string.

Use the semanage command for deleting a port label, with the -d option. for example
<code>[root@host ~]# semanage port -d -t gopher_port_t -p tcp 71</code>

To change a port binding, when requirements change, use the -m option.
for example
<code>[root@server ~]# semanage port -m -t http_port_t -p tcp 71</code>

====troubleshooting=====
use the <code> netstat -plnt | grep service-or-ports </code> command to help troubleshoot this

also can use  sealert to query if selinux blocked anything

<code>sealert -a /var/log/audit/audit.log<code> </code>