SELinux does much more than just restricting the access of processes to files based on SELinux labels. It can also control the network traffic by restricting access to unauthorized ports for a service. By default, the SELinux policy allows the ssh service to access port, 22/TCP . In the following example, we allow ssh to run on another port 2525/TCP, in addition to its default port, as shown in the following steps:
- The semanage command can be used with the port sub-command to list the current port assigned to a service as shown in the following screenshot:
- We can also use the semanage command for granting access to any custom port for a particular service. In the following screenshot, the semanage command is used to add the selected port to the access list of a particular service:
- The semanage command can also be used to remove an association of a port to a particular service as shown in the following screenshot:
