前提

很多朋友估计会有这种经历, 在 Linux 中监听某个端口时, 但并不能被别的机器访问。 这主要是是因为这个端口没有被开放, 因此不可以访问。 网上有很多关于怎么开放端口的, 今天介绍一个很实用的工具 - semanage

semanage 简介

NAME
       semanage - SELinux Policy Management tool

SYNOPSIS
       semanage {import,export,login,user,port,interface,module,node,fcontext,boolean,permissive,dontaudit,ibpkey,ibendport}
                       ...  positional arguments:

       import Import local customizations

       export Output local customizations

       login Manage login mappings between linux users and SELinux confined users

       user Manage SELinux confined users (Roles and levels for an SELinux user)

       port Manage network port type definitions

       interface Manage network interface type definitions

       module Manage SELinux policy modules

       node Manage network node type definitions

       fcontext Manage file context mapping definitions

       boolean Manage booleans to selectively enable functionality

       permissive Manage process type enforcement mode

       dontaudit Disable/Enable dontaudit rules in policy

       ibpkey Manage infiniband pkey type definitions

       ibendport Manage infiniband end port type definitions

DESCRIPTION
       semanage  is  used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources.  This includes the mapping from Linux usernames to SELinux user identities
       (which controls the initial security context assigned to Linux users when they login and bounds their authorized role set) as well as security context mappings for various kinds of objects, such as network  ports,
       interfaces,  infiniband pkeys and endports, and nodes (hosts) as well as the file context mapping. See the EXAMPLES section below for some examples of common usage.  Note that the semanage login command deals with
       the mapping from Linux usernames (logins) to SELinux user identities, while the semanage user command deals with the mapping from SELinux user identities to authorized role sets.  In most cases,  only  the  former
       mapping needs to be adjusted by the administrator; the latter is principally defined by the base policy and usually does not require modification.

查看开放的端口

semanage port -l | grep 5000 查看5000端口

semanage port -l | grep http_port_t 查看selinux针对http的策略开放的端口。

[root@CentOS conf.d]# semanage port -l 
SELinux Port Type              Proto    Port Number

afs3_callback_port_t           tcp      7001
afs3_callback_port_t           udp      7001
afs_bos_port_t                 udp      7007
afs_fs_port_t                  tcp      2040
afs_fs_port_t                  udp      7000, 7005

对指定策略添加开放端口

semanage port -l | grep 5000  查看5000端口 

semanage port -l | grep http_port_t   查看selinux针对http的策略开放的端口。

关闭已经开放的端口

semanage port -d -t http_port_t -p tcp 5002