Opening ports to Security-Enhanced Linux (SELinux) using semanage

  • 7024831
  • 18-Sep-2020
  • 22-Sep-2020

Environment

Host Access for the Cloud 2.4 through 2.5.1

Situation

How to use the semanage command to open required ports for MSS or HACloud sessionserver for a Redhat or CentOS system.

Resolution

HACloud sessionserver default port:
7443 https

MSS typical port configuration:
8880 - HTTP - Administrative Console, Terminal ID Management, Metering Management
8443 - HTTPS - Administrative Console, Terminal ID Management, Metering Management
8003 - X.509 Trusted subsystem
8761 - Service Registry
8089 - Metering server

To add the above ports so they are not blocked by selinux issue the following commands as root:
semanage port -a -t http_port_t -p tcp 7443
semanage port -a -t http_port_t -p tcp 8880
semanage port -a -t http_port_t -p tcp 8443
semanage port -a -t http_port_t -p tcp 8003
semanage port -a -t http_port_t -p tcp 8761
semanage port -a -t http_port_t -p tcp 8089

You can check your configuration with:
semanage port -l | grep http_port

You should see a list of all ports open in the http_port_t context including all the ones just added.

Cause

Security Enhanced Linux (selinux) is is an extra layer of security enabled by default on Redhat and CentOS linux distributions. Ports need to be added to a context or it will appear that they are blocked, even though they have been opened in the firewall.

Additional Information

The command semanage is used to view and change selinux configuration settings. The getenforce command is used to see if semanage is enabled and setenforce can change whether selinux is being enforced or not.
Note: The utilities referenced above are provided in the policycoreutils-python package from the epel Extra Packages for Enterprise Linux repository.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.