What is the relation/difference between SELinux and Firewalld?

Hello Community

I had this experience:

Where the solution was open the specific port through SELinux. Until here all ok.

Just for LAN working, through DBeaver, after to did do a research was mandatory configure firewalld, otherwise is impossible do a remote connection for MySQL running in Fedora Server 36

To be honest I thought that through SELinux, once opened the specific port, it could do an internal interaction with the default Fedora’s firewall, in this case firewalld - but it is not the case.

  • What is the relation/difference between SELinux and Firewalld?

As you can see was mandatory define the port in 2 different programs.

2 Likes

They’re totally different layers. Firewalld is specific to networking where SELinux is specific to processes. SELinux can determine if a process should talk over a certain port or not, but the firewall is concerned with what to do with the traffic itself on that port/interface. The firewall won’t keep a process from trying to listen on a port, but can block traffic from getting to that process. Also, generally speaking, the firewall often doesn’t apply to stuff listening locally. If port 80 is blocked in the firewall,Apache can’t serve on that port to the outside world, but you should still be able to resolve it using curl http://localhost from the same host, for example. SELinux can prevent a process from binding to a port or making a network connection at the process level, so it can keep it from listening locally or making outbound connections, which can prevent certain types of malware from working.

Both are very important, but are managing things from different layers of the stack.

6 Likes

Huge thanks for the clarification. I assumed that perhaps SELinux could have some interaction/control over Firewalld. Now all is clear. Thanks again!

2 Likes