Security-Enhanced Linux, or SELinux, is a kernel security module, to improve the security of a Linux system. It is installed on CentOS and Fedora installations by default.
SELinux is not a firewall, but it does have common ground. A firewall checks traffic to and from a computer on a network / the internet. SELinux checks / manages port access of programs and is primarily intended as an extra addition to a firewall. As an administrator, this mainly means that if you, for example, adjust your SSH port, that port must also be open for the SSH service in SELinux.
For example, you can use SELinux to limit network services to a specific port, or your Apache server to port 80.
Checking the status of SELinux
You check the status of SELinux with the command:
sestatus
The output looks like this:
SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 31
The most important things to know from this overview are:
- Status: Indicates whether SELinux is on (enabled), off (disabled), or enabled and gives warnings, but does not take any action (permissive).
- Root directory: In this folder, you will find the SELinux configuration files.
- Current mode: Shows enforcing if SELinux implements its policies, or permissive if SELinux only gives warnings.
Turning SELinux on or off
You can turn SELinux on or off in two ways:
- Temporary, until you restart your VPS. You do this with the command:
seforce permissive
- The only options here are permissive or enforcing, where SELinux gives warnings in both cases but does not take action with permissive.
- Permanent, but this requires a restart of your VPS. Open the config file:
nano /etc/selinux/config
- Adjust the line that reads SELINUX=enforcing. You can choose from enforcing, permissive, or disabled. Then, save the changes and close the file (ctrl + x> y> enter).
Checking open ports
You check the open ports with the command:
semanage port -l
Specific ports
The output is often quite large. If you want to know if a specific port is open, use:
semanage port -l | grep portnumber
Replace 'portnumber' with the number of the port that you actually want to check.
Specific type
You can also directly check for port type (i.e. a specific program / service) with the command:
semanage port -l | grep -w ssh_port_t
Where you replace ssh with the desired service / software name, for example, http_port_t
Opening or closing ports
SELinux is intended to specifically manage the access of software. So, for SELinux, when you talk about opening ports it is about giving software / services access to a port.
Opening ports
You open a port in SELinux with the command below, replacing ssh with the name of the software / service (e.g. http_port_t) and 12345 with the actual port number that you want to open.
semanage port --add -t ssh_port_t -p tcp 12345
- --add adds the port
- -t indicates the port type, ssh_port_t in this example
- -p tcp specifies the tcp protocol
- 12345 the port number, use the syntax 1234-1238 to specify a range
Closing ports
You cannot close ports that are part of the SELinux policy. Close other ports (e.g. self-added ports) with the command:
semanage port -d -t ssh_port_t -p tcp 12345
Change ssh_port_t to the actual port type, for example, http_port_t and the port number 12345 to the selected port.
Should you have any questions left regarding this article, do not hesitate to contact our support department. You can reach them via the ‘Contact Us’ button at the bottom of this page.