Many administrators struggle with deleting port ranges in SELinux policies through semanage port -d. The command's syntax for ranges isn't immediately obvious from its help output, leading to multiple failed attempts like:
semanage port -d -t http_port_t -p tcp 1-60000
semanage port -d -t http_port_t -p tcp 1000-10000
semanage port -d -t http_port_t -p tcp '1,60000'
The correct way to delete a port range requires listing individual ports you want to remove. Here's the working approach:
# First list existing port assignments
semanage port -l | grep http_port_t
# Then delete each port individually (example for ports 8080-8085)
for port in {8080..8085}; do
semanage port -d -t http_port_t -p tcp $port
done
For bulk operations, consider modifying SELinux policy modules directly:
# Create a local policy module
semodule -DB
# Export current port definitions
sesearch --port -c port -A | grep http_port_t > http_ports.te
# Edit the file to remove unwanted ports
vi http_ports.te
# Recompile and load the modified policy
checkmodule -M -m -o http_ports.mod http_ports.te
semodule_package -o http_ports.pp -m http_ports.mod
semodule -i http_ports.pp
Always verify your changes:
# Check if ports were removed
semanage port -l | grep http_port_t
# Test application connectivity
curl -v http://localhost:8080
Typical scenarios where you'd need to delete port ranges:
- Migrating web services to different ports
- Removing deprecated service ports
- Cleaning up test configurations
- Implementing security hardening
If you encounter issues:
# Check SELinux denials
ausearch -m avc -ts recent
# Verify policy enforcement mode
getenforce
# Check for conflicting modules
semodule -l | grep http
When managing SELinux port contexts in CentOS, many administrators encounter difficulties when trying to remove port ranges through the semanage port command. The syntax isn't as intuitive as one might expect, especially compared to the straightforward process of adding port ranges.
The fundamental issue lies in how semanage port -d handles range specifications. Unlike the addition command which clearly accepts ranges with hyphen notation (1000-2000), the deletion operation requires a different approach.
# This works for adding a range:
semanage port -a -t http_port_t -p tcp 1000-2000
# But these attempts to delete fail:
semanage port -d -t http_port_t -p tcp 1000-2000
semanage port -d -t http_port_t -p tcp 1000,2000
Through extensive testing, I've found that the only reliable way to remove a port range is to delete it as separate individual port definitions:
# First list all ports of the type you want to remove
semanage port -l | grep http_port_t
# Then delete them individually (example for ports 8000-9000)
for port in $(seq 8000 9000); do
semanage port -d -t http_port_t -p tcp $port
done
For large ranges or frequent modifications, consider creating a custom SELinux policy module:
# Create a local policy module
cat > my_http_ports.te <After making changes, always verify the results:
# Check current port assignments
semanage port -l | grep http_port_t
# Test if the ports are truly freed up
ss -tulnp | grep ':'
- Backup your SELinux configuration before making changes:
semanage -o semanage_backup - Be aware that some services might require specific ports to function properly
- Changes persist across reboots as they modify the SELinux policy store