LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

How does SELinux control network ports?

Ports get type labels too (e.g. 80/443 → http_port_t, 22 → ssh_port_t), and a process may only bind to a port whose type its policy permits — so a hijacked service can't open arbitrary ports or impersonate another service's port.

This extends the same type-enforcement idea from files to the network: binding a socket is an action checked against policy, where the "resource" is the port's label. Apache (httpd_t) is allowed to bind http_port_t; if it tried to listen on, say, 8080 (not labelled http_port_t), SELinux blocks it — which is exactly why running a service on a non-standard port often needs semanage port -a first. Inspect labels with semanage port -l.

Port context examples:

Service Port SELinux Type
SSH 22/TCP ssh_port_t
HTTP 80/TCP http_port_t
HTTPS 443/TCP http_port_t

How it works:

  1. Process tries to bind to a port
  2. SELinux checks if process type can bind to port type
  3. Prevents rogue services from using legitimate ports

Example:

  • Apache (httpd_t) can bind to http_port_t ports
  • If httpd tries to bind to a non-http port, SELinux blocks it

List port labels:

semanage port -l
semanage port -l | grep http
semanage port -l | grep -w 22

Benefit: Prevents compromised services from opening unauthorized ports.

From Quiz: LIOS / SELinux Security | Updated: Jul 14, 2026