🟠 High   ⏱ 5–30 min  Last verified: 19 May 2026
Affected versions: RHEL 10.0 RHEL 10.1

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Application listens but clients cannot connect due to SELinux policy denial.

Environment & Reproduction

Custom service bound to non-default TCP port on enforcing hosts.

getenforce
ss -tulpn | grep

Root Cause Analysis

Port lacks expected SELinux type or binary context does not match policy.

Quick Triage

Check AVC events and current SELinux port mappings.

ausearch -m AVC -ts recent
semanage port -l | grep -E '|http_port_t'

Step-by-Step Diagnosis

Correlate service domain, port type, and denied class/perm.

journalctl -t setroubleshoot -n 100 --no-pager
sealert -a /var/log/audit/audit.log | head -n 60
Illustrative mockup for rhel-10 β€” selinux_avc_denial
AVC denial in audit log β€” Illustrative mockup β€” Progressive Robot

Solution – Primary Fix

Assign proper SELinux port type and restore file contexts.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

semanage port -a -t http_port_t -p tcp  || semanage port -m -t http_port_t -p tcp 
restorecon -Rv /opt/
systemctl restart
Illustrative mockup for rhel-10 β€” selinux_port_context
Correct port context applied β€” Illustrative mockup β€” Progressive Robot

Solution – Alternative Approaches

Generate minimal local policy module when labeling is insufficient.

ausearch -m AVC -ts recent | audit2allow -M local_
semodule -i local_.pp

Verification & Acceptance Criteria

No new AVC denials and service accepts expected traffic.

ausearch -m AVC -ts recent
curl -I http://127.0.0.1:

Rollback Plan

Remove custom module or revert port mapping if behavior changes unexpectedly.

semodule -r local_
semanage port -d -t http_port_t -p tcp

Prevention & Hardening

Keep SELinux enforcing and maintain approved local policy repository.

sestatus
semanage export | grep -E 'port -a|port -m'

AVC denied name_bind, connectto denied, SELinux is preventing.

Related tutorial: View the step-by-step tutorial for rhel-10.

View all rhel-10 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

SELinux troubleshooting, audit2allow, semanage port documentation.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.