How to Fix “ValueError: Port tcp/5000 Already Defined” SELinux Error When Adding Apache Exception


2 views 



When attempting to allow Apache access through port 5000 using:


# semanage port -a -t http_port_t -p tcp 5000


Many administrators encounter the confusing ValueError: Port tcp/5000 already defined message, even when port 5000 doesn't appear in the http_port_t list.


The key insight comes from checking ALL port assignments, not just the http context:


# semanage port -l | grep 5000


You might discover port 5000 is assigned to a different SELinux context like:


sip_port_t                    tcp      5060, 5061, 5000
or
commplex_port_t               tcp      5000


Instead of trying to add (-a) the port (which fails when any context owns it), modify (-m) the existing assignment:


# semanage port -m -t http_port_t -p tcp 5000


After modification, verify with:


# semanage port -l | grep http_port_t


For complex cases where multiple services need port 5000, consider:


# semanage port -a -t alternate_port_t -p tcp 5000
# setsebool -P nis_enabled 1


Similar issues occur with:


    

  • TCP/8080 (often claimed by tomcat_port_t)
    • 

  • TCP/3000 (nodejs_port_t conflict)
    • 

  • TCP/5432 (postgresql_port_t overlap)
    • 



Always check full port assignments before modification attempts.





When attempting to add an SELinux exception for Apache to use port 5000, you might encounter:


# semanage port -a -t http_port_t -p tcp 5000
ValueError: Port tcp/5000 already defined


Interestingly, checking assigned ports shows no existing assignment:


# semanage port -l | grep 5000
http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000





The error suggests port 5000 has already been registered under a different SELinux context. To identify the conflicting assignment:


# semanage port -l | grep -w 5000
docker_port_t                  tcp      5000, 2375, 2376


This reveals Docker has already claimed port 5000 for its own services.




Instead of using -a (add) which fails when ports are occupied, use -m (modify) to reassign the port:


# semanage port -m -t http_port_t -p tcp 5000


Verify the change took effect:


# semanage port -l | grep http_port_t
http_port_t                    tcp      5000, 80, 81, 443, 488, 8008, 8009, 8443, 9000





For testing purposes before making permanent changes, you can temporarily set SELinux to permissive mode:


# setenforce 0
# semanage port -a -t http_port_t -p tcp 5000
# setenforce 1





To get detailed information about a specific port's SELinux context:


# semanage port -l | grep -E '(5000|http_port_t)'


Or check all ports assigned to Apache:


# seinfo -x -t http_port_t





Service Conflicts: After reassigning port 5000, any service relying on it (like Docker registry) will need reconfiguration.


Persistent Changes: SELinux modifications persist across reboots. To revert:


# semanage port -d -t http_port_t -p tcp 5000





If Apache still can't bind to port 5000, check for denials:


# ausearch -m avc -ts recent
# sealert -a /var/log/audit/audit.log


This helps identify if additional SELinux policies need adjustment.