Cart
Article overview

Help article

What is Selinux?

Security-Enhanced Linux, or SELinux, is a kernel security module, to improve the security of a Linux system. It is installed on CentOS and Fedora installations by default.

SELinux is not a firewall, but it does have common ground. A firewall checks traffic to and from a computer on a network / the internet. SELinux checks / manages port access of programs and is primarily intended as an extra addition to a firewall. As an administrator, this mainly means that if you, for example, adjust your SSH port, that port must also be open for the SSH service in SELinux.

For example, you can use SELinux to limit network services to a specific port, or your Apache server to port 80.


Checking the status of SELinux

You check the status of SELinux with the command:

sestatus

The output looks like this:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31

The most important things to know from this overview are:

  • Status: Indicates whether SELinux is on (enabled), off (disabled), or enabled and gives warnings, but does not take any action (permissive).
  • Root directory: In this folder, you will find the SELinux configuration files.
  • Current mode: Shows enforcing if SELinux implements its policies, or permissive if SELinux only gives warnings.

Turning SELinux on or off

You can turn SELinux on or off in two ways:

  • Temporary, until you restart your VPS. You do this with the command:
    seforce permissive
    The only options here are permissive or enforcing, where SELinux gives warnings in both cases but does not take action with permissive.
     
  • Permanent, but this requires a restart of your VPS. Open the config file:
    nano /etc/selinux/config
    Adjust the line that reads SELINUX=enforcing. You can choose from enforcing, permissive, or disabled. Then, save the changes and close the file (ctrl + x> y> enter).

Checking open ports

You check the open ports with the command:

semanage port -l

 

Specific ports

The output is often quite large. If you want to know if a specific port is open, use:

semanage port -l | grep portnumber

Replace 'portnumber' with the number of the port that you actually want to check.


 

Specific type

You can also directly check for port type (i.e. a specific program / service) with the command:

semanage port -l | grep -w ssh_port_t

Where you replace ssh with the desired service / software name, for example, http_port_t


Opening or closing ports

SELinux is intended to specifically manage the access of software. So, for SELinux, when you talk about opening ports it is about giving software / services access to a port.


 

Opening ports

You open a port in SELinux with the command below, replacing ssh with the name of the software / service (e.g. http_port_t) and 12345 with the actual port number that you want to open.

semanage port --add -t ssh_port_t -p tcp 12345
  • --add adds the port
  • -t indicates the port type, ssh_port_t in this example
  • -p tcp specifies the tcp protocol
  • 12345 the port number, use the syntax 1234-1238 to specify a range

 

Closing ports

You cannot close ports that are part of the SELinux policy. Close other ports (e.g. self-added ports) with the command:

semanage port -d -t ssh_port_t -p tcp 12345

Change ssh_port_t to the actual port type, for example, http_port_t and the port number 12345 to the selected port.


 

Should you have any questions left regarding this article, do not hesitate to contact our support department. You can reach them via the ‘ContactUs’ button at the bottom of this page.

If you want to discuss this article with other users, please leave a message under 'Comments'.

Do you have a good idea?

Give us your idea! If it's popular we'll add it to the wishlist!

Has this article been helpful?

Thanks for your feedback!

Feedback? Let us know in the discussion below.

Comments

You can use Markdown to format your response.
Logged in as: transipdemo

Are you stuck?

Ask one of our specialists to assist you

Contact us