|

»

Fedora SELinux List

How can I use an selinux unused port

View: New views

3 Messages — Rating Filter: Alert me

	How can I use an selinux unused port by Brian Ginn-3 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Some parts of this message have been removed. Learn more about Nabble's security policy. I want to use port 60000 for a confined application that is not postgrey. However port 60000 is "owned by" postgrey and I can't seem to get past that. I don't want to add SELinux policy that allows my app to use postgrey's port, I want my app to think the port is myapp_port_t. Is there a way to free port 60000 from postgrey? [root@domingo install]# netstat -an \| grep 60000 [root@domingo install]# semanage port -l \| grep 60000 postgrey_port_t tcp 60000 [root@domingo install]# /usr/sbin/semanage port -d -t postgrey_port_t -p tcp 60000 /usr/sbin/semanage: Port tcp/60000 is defined in policy, cannot be deleted [root@domingo install]# Thanks, Brian ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list
	Re: How can I use an selinux unused port by Dominick Grift :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Wed, Sep 23, 2009 at 09:35:40AM -0700, Brian Ginn wrote: > I want to use port 60000 for a confined application that is not postgrey. > > However port 60000 is "owned by" postgrey and I can't seem to get past that. > > I don't want to add SELinux policy that allows my app to use postgrey's port, > > I want my app to think the port is myapp_port_t. > > > > Is there a way to free port 60000 from postgrey? No easy way no, the port is declared in the corenetwork source policy which is compiled in the base module. You cannot alter/remove policy that is defined in base without editing rebuilding the whole thing. You would have to get the selinux-policy.src.rpm corresponding to what you have installed, prep it (apply patch), Than in corenetwork.te.in remove the declaration for the particular port , rebuild and reinstall it. But why not share the port with postgrey? Only one service can bind to it at a time anyways. Other objects get shared all the time. > > > > [root@domingo install]# netstat -an \| grep 60000 > > [root@domingo install]# semanage port -l \| grep 60000 > > postgrey_port_t tcp 60000 > > [root@domingo install]# /usr/sbin/semanage port -d -t postgrey_port_t -p tcp 60000 > > /usr/sbin/semanage: Port tcp/60000 is defined in policy, cannot be deleted > > [root@domingo install]# > > > > > > > > Thanks, > > Brian > > > ______________________________________________________________________ > This email has been scanned by the MessageLabs Email Security System. > For more information please visit http://www.messagelabs.com/email > ______________________________________________________________________ > -- > fedora-selinux-list mailing list > fedora-selinux-list@... > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list attachment0 (205 bytes) Download Attachment
	Re: How can I use an selinux unused port by Daniel J Walsh :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On 09/24/2009 02:32 AM, Dominick Grift wrote: > On Wed, Sep 23, 2009 at 09:35:40AM -0700, Brian Ginn wrote: >> I want to use port 60000 for a confined application that is not postgrey. >> >> However port 60000 is "owned by" postgrey and I can't seem to get past that. >> >> I don't want to add SELinux policy that allows my app to use postgrey's port, >> >> I want my app to think the port is myapp_port_t. >> >> >> Is there a way to free port 60000 from postgrey? > > No easy way no, the port is declared in the corenetwork source policy which is compiled in the base module. You cannot alter/remove policy that is defined in base without editing rebuilding the whole thing. > > You would have to get the selinux-policy.src.rpm corresponding to what you have installed, prep it (apply patch), Than in corenetwork.te.in remove the declaration for the particular port , rebuild and reinstall it. > > But why not share the port with postgrey? Only one service can bind to it at a time anyways. Other objects get shared all the time. > >> >> >> >> [root@domingo install]# netstat -an \| grep 60000 >> >> [root@domingo install]# semanage port -l \| grep 60000 >> >> postgrey_port_t tcp 60000 >> >> [root@domingo install]# /usr/sbin/semanage port -d -t postgrey_port_t -p tcp 60000 >> >> /usr/sbin/semanage: Port tcp/60000 is defined in policy, cannot be deleted >> >> [root@domingo install]# >> >> >> >> I agree, your best choice is to just let your app user postgrey_port_t >> >> >> >> Thanks, >> >> Brian >> >> >> ______________________________________________________________________ >> This email has been scanned by the MessageLabs Email Security System. >> For more information please visit http://www.messagelabs.com/email >> ______________________________________________________________________ > >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list@... >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list@... > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list