How can I use an selinux unused port

Dominick Grift domg472 at gmail.com
Thu Sep 24 09:32:45 UTC 2009


On Wed, Sep 23, 2009 at 09:35:40AM -0700, Brian Ginn wrote:
> I want to use port 60000 for a confined application that is not postgrey.
> 
> However port 60000 is "owned by" postgrey and I can't seem to get past that.
> 
> I don't want to add SELinux policy that allows my app to use postgrey's port,
> 
> I want my app to think the port is myapp_port_t.
> 
> 
> 
> Is there a way to free port 60000 from postgrey?

No easy way no, the port is declared in the corenetwork source policy which is compiled in the base module. You cannot alter/remove policy that is defined in base without editing rebuilding the whole thing.

You would have to get the selinux-policy.src.rpm corresponding to what you have installed, prep it (apply patch), Than in corenetwork.te.in remove the declaration for the particular port , rebuild and reinstall it.

But why not share the port with postgrey? Only one service can bind to it at a time anyways. Other objects get shared all the time.

> 
> 
> 
> [root at domingo install]# netstat -an | grep 60000
> 
> [root at domingo install]# semanage port -l | grep 60000
> 
> postgrey_port_t                tcp      60000
> 
> [root at domingo install]# /usr/sbin/semanage port -d -t postgrey_port_t -p tcp 60000
> 
> /usr/sbin/semanage: Port tcp/60000 is defined in policy, cannot be deleted
> 
> [root at domingo install]#
> 
> 
> 
> 
> 
> 
> 
> Thanks,
> 
> Brian
> 
> 
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email 
> ______________________________________________________________________

> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090924/18c74a4e/attachment.sig>


More information about the fedora-selinux-list mailing list