Opbzil

In addition to file context and process type labeling, SELinux labels network ports with an SELinux context. SELinux controls network access by labeling the network ports and including rules in a service's targeted policy. For example, the SSH targeted policy includes the 22/TCP port with an ssh_port_t port context label. In the HTTP policy, the default 80/TCP and 443/TCP ports use an http_port_t port context label.

When a targeted process attempts to open a port for listening, SELinux verifies that the policy includes entries that enable the binding of the process and the context. SElinux can then block a rogue service from taking over ports that other legitimate network services use.

Typically, the targeted policy already labeled all expected ports with the correct type. For example, because port 8008/TCP is often used for web applications, that port is already labeled with http_port_t, which is the default port type that a web server uses. Individual ports can be labeled with only one port context.

Use grep commands to get a list of the ports used by a service

 grep gopher /etc/services 

Then use semanage to get list of selinux label

 semanage port -l | grep ftp 
ftp_data_port_t                tcp      20
ftp_port_t                     tcp      21, 989, 990
ftp_port_t                     udp      989, 990
tftp_port_t                    udp      69 

Use the semanage command to assign new port labels, remove port labels, and modify existing ones.

You can label a new port with an existing port context label (type). The semanage port command's -a option adds a new port label; the -t option denotes the type; and the -p option denotes the protocol.

[root@host ~]# semanage port -a -t port_label -p tcp|udp PORTNUMBER 

example, enable the gopher service to listen on the 71/TCP port:

[root@host~]# semanage port -a -t gopher_port_t -p tcp 71 

To see changes done to default policy use

semanage -p port -l -C 

Service-specific SELinux man pages are named by using the service name plus _selinux. These man pages include service-specific information on SELinux types, Booleans, and port types, and are not installed by default. To view a list of all of the available SELinux man pages, install the package and then run a man -k keyword search for the _selinux string.

Use the semanage command for deleting a port label, with the -d option. for example

[root@host ~]# semanage port -d -t gopher_port_t -p tcp 71

To change a port binding, when requirements change, use the -m option. for example

[root@server ~]# semanage port -m -t http_port_t -p tcp 71

use the

 netstat -plnt | grep service-or-ports 

command to help troubleshoot this

also can use sealert to query if selinux blocked anything

sealert -a /var/log/audit/audit.log<code>