How does SELinux control network ports?
Ports get type labels too (e.g. 80/443 → http_port_t, 22 → ssh_port_t), and a process may only bind to a port whose type its policy permits — so a hijacked service can't open arbitrary ports or impersonate another service's port.
This extends the same type-enforcement idea from files to the network: binding a socket is an action checked against policy, where the "resource" is the port's label. Apache (httpd_t) is allowed to bind http_port_t; if it tried to listen on, say, 8080 (not labelled http_port_t), SELinux blocks it — which is exactly why running a service on a non-standard port often needs semanage port -a first. Inspect labels with semanage port -l.
Port context examples:
| Service | Port | SELinux Type |
|---|---|---|
| SSH | 22/TCP | ssh_port_t |
| HTTP | 80/TCP | http_port_t |
| HTTPS | 443/TCP | http_port_t |
How it works:
- Process tries to bind to a port
- SELinux checks if process type can bind to port type
- Prevents rogue services from using legitimate ports
Example:
- Apache (
httpd_t) can bind tohttp_port_tports - If httpd tries to bind to a non-http port, SELinux blocks it
List port labels:
semanage port -l
semanage port -l | grep http
semanage port -l | grep -w 22
Benefit: Prevents compromised services from opening unauthorized ports.