Configure Custom PostgreSQL ports with SELinux

SELinux (Security-Enhanced Linux) is a great and powerful security feature that’s built into most RHEL based Linux distributions. It adds an extra layer of security by strictly controlling access to the files, system resources, and processes in your Linux server.

SELinux works by enforcing mandatory access control (MAC) which can limit the damage if a system is compromised. It also minimize potential vulnerabilities on a Linuix system through the principle of least privilege.

In this article we will look at how you can change the default service port in a system with SELinux running in enforcing mode.

SELinux Port contexts

In SELinux, port contexts are used to define security label that is associated with a network port. This allows SELinux to identify if traffic associated with a service in a network is legit and helping to prevent unauthorized access attempts to service.

List existing port contexts in your Linux machine using:

semanage port -l

We can check the port content associated with PostgreSQL service.

# semanage port -l | grep 5432
postgresql_port_t              tcp      5432, 9898

Configure Custom PostgreSQL ports with SELinux

If we need to make PostgreSQL service to use a non-standard port, we have to add the custom port to SELinux policy associated with standard port.

Suppose we want PostgreSQL to listen on port 5532, we will run:

sudo semanage port -a -t postgresql_port_t -p tcp 5532

Where:

  • semanage is the command used to manage SELinux policies.
  • port: This instructs semanage we are handling SELinux port definitions.
  • -a: Is a flag that informs semanage to add a new entry.
  • -t: Is used to define a security context associated with a port.
  • postgresql_port_t: This is a port context associated with PostgreSQL services.
  • -p tcp: The port we are adding is of type TCP.
  • 5532: The port number that we’re defining.

You can now check the port contexts associated with PostgreSQL service

$ sudo semanage port -l | grep -w postgresql_port_t
postgresql_port_t              tcp      5532, 5432, 9898

Here is another example for Redis service.

$ sudo semanage port -l | grep 6379
redis_port_t                   tcp      6379, 16379, 26379

$ sudo semanage port -a -t redis_port_t -p tcp 6479

You can then edit PostgreSQL listen port. Depending on your OS type, locate postgresql.conf file.

sudo find / -name postgresql.conf

Here is an example of setting it to listen on port 5532.

listen_addresses = '192.168.20.11:5532'

Conclusion

Adjusting SELinux polices and changing the listen port of PostgreSQL involves running commands and editing configuration file. While we covered the steps in a simplistic approach, the overall management of SELinux can be intricate.

If you require custom or complex SELinux configurations and you’re not sure about the process, don’t hesitate to get assistance from qualified security professionals from CloudSpinx.

You can Live chat or Send us a message now for further guidance.

Your IT Journey Starts Here!

Ready to level up your IT skills? Our new eLearning platform is coming soon to help you master the latest technologies.

Be the first to know when we launch! Join our waitlist now.

Join our Linux and open source community. Subscribe to our newsletter for tips, tricks, and collaboration opportunities!

Recent Post

Leave a Comment

Your email address will not be published. Required fields are marked *

Related Post

The web browser is the key arsenal that we use to browse the internet. If you want to access information […]

In this guide,we will look at how you can install Java 11 on Oracle Linux 8. Java is a widely […]

The adoption of Containers and microservice architectures has been amazing and speedy in the past few years. Docker is widely […]

Let's Connect

Unleash the full potential of your business with CloudSpinx. Our expert solutions specialists are standing by to answer your questions and tailor a plan that perfectly aligns with your unique needs.
You will get a response from our solutions specialist within 12 hours
We understand emergencies can be stressful. For immediate assistance, chat with us now

Contact CloudSpinx today!

Download CloudSpinx Profile

Discover the full spectrum of our expertise and services by downloading our detailed Company Profile. Simply enter your first name, last name, and email address.