HOWTO: Configure SELinux to use non-standard ports

First, you need to be able to tune the parameters, so you need some packages:

[root@rhce ~]# yum -y install setroubleshoot-server selinux-policy-devel

Wait, I want to use a port other than 80 for apache/http – how do I know what to use?

[root@rhce ~]# semanage port -l | grep http
http_cache_port_t              tcp      8080, 8118, 8123, 10001-10010
http_cache_port_t              udp      3130
http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t            tcp      5988
pegasus_https_port_t           tcp      5989

OK.  80 is “http_port_t”

Now, I need to choose the port I want to use (25000) & see if it’s in use:

[root@rhce ~]# sepolicy network -p 25000
25000: tcp unreserved_port_t 1024-32767
25000: udp unreserved_port_t 1024-32767

NICE!  It’s not in use.  Now, I need to allow apache/httpd to use it:

[root@rhce ~]# semanage port -a -t http_port_t -p tcp 25000

If you want to remove the port, substitute -a for -d & run again.

Check to see that it’s been applied appropriately:

[root@rhce ~]# sepolicy network -p 25000
25000: tcp http_port_t 25000
25000: tcp unreserved_port_t 1024-32767
25000: udp unreserved_port_t 1024-32767

NICE!

Next, open the firewall to allow the port & then make it permanent:

[root@rhce ~]# firewall-cmd --add-port 25000/tcp
success
[root@rhce ~]# firewall-cmd --add-port 25000/tcp --permanent
success

Make your httpd.conf / vhosts.conf changes, restart apache & you’re IN with the new port: