Cart

    Sorry, we could not find any results for your search querry.

    What is Selinux?

    Security-Enhanced Linux, or SELinux, is a kernel security module, to improve the security of a Linux system. It is installed on CentOS and Fedora installations by default.

    SELinux is not a firewall, but it does have common ground. A firewall checks traffic to and from a computer on a network / the internet. SELinux checks / manages port access of programs and is primarily intended as an extra addition to a firewall. As an administrator, this mainly means that if you, for example, adjust your SSH port, that port must also be open for the SSH service in SELinux.

    For example, you can use SELinux to limit network services to a specific port, or your Apache server to port 80.


    Checking the status of SELinux

    You check the status of SELinux with the command:

    sestatus

    The output looks like this:

    SELinux status:                 enabled
    SELinuxfs mount:                /sys/fs/selinux
    SELinux root directory:         /etc/selinux
    Loaded policy name:             targeted
    Current mode:                   enforcing
    Mode from config file:          enforcing
    Policy MLS status:              enabled
    Policy deny_unknown status:     allowed
    Max kernel policy version:      31

    The most important things to know from this overview are:

    • Status: Indicates whether SELinux is on (enabled), off (disabled), or enabled and gives warnings, but does not take any action (permissive).
    • Root directory: In this folder, you will find the SELinux configuration files.
    • Current mode: Shows enforcing if SELinux implements its policies, or permissive if SELinux only gives warnings.

    Turning SELinux on or off

    You can turn SELinux on or off in two ways:

    • Temporary, until you restart your VPS. You do this with the command:
    seforce permissive
    • The only options here are permissive or enforcing, where SELinux gives warnings in both cases but does not take action with permissive.
       
    • Permanent, but this requires a restart of your VPS. Open the config file:
    nano /etc/selinux/config
    • Adjust the line that reads SELINUX=enforcing. You can choose from enforcing, permissive, or disabled. Then, save the changes and close the file (ctrl + x> y> enter).

    Checking open ports

    You check the open ports with the command:

    semanage port -l

     

    Specific ports

    The output is often quite large. If you want to know if a specific port is open, use:

    semanage port -l | grep portnumber

    Replace 'portnumber' with the number of the port that you actually want to check.


     

    Specific type

    You can also directly check for port type (i.e. a specific program / service) with the command:

    semanage port -l | grep -w ssh_port_t

    Where you replace ssh with the desired service / software name, for example, http_port_t


    Opening or closing ports

    SELinux is intended to specifically manage the access of software. So, for SELinux, when you talk about opening ports it is about giving software / services access to a port.


     

    Opening ports

    You open a port in SELinux with the command below, replacing ssh with the name of the software / service (e.g. http_port_t) and 12345 with the actual port number that you want to open.

    semanage port --add -t ssh_port_t -p tcp 12345
    • --add adds the port
    • -t indicates the port type, ssh_port_t in this example
    • -p tcp specifies the tcp protocol
    • 12345 the port number, use the syntax 1234-1238 to specify a range

     

    Closing ports

    You cannot close ports that are part of the SELinux policy. Close other ports (e.g. self-added ports) with the command:

    semanage port -d -t ssh_port_t -p tcp 12345

    Change ssh_port_t to the actual port type, for example, http_port_t and the port number 12345 to the selected port.


     

    Should you have any questions left regarding this article, do not hesitate to contact our support department. You can reach them via the ‘Contact Us’ button at the bottom of this page.

    Need help?

    Receive personal support from our supporters

    Contact us