How can I use an selinux unused port
Dominick Grift
domg472 at gmail.com
Thu Sep 24 09:32:45 UTC 2009
On Wed, Sep 23, 2009 at 09:35:40AM -0700, Brian Ginn wrote:
> I want to use port 60000 for a confined application that is not postgrey.
>
> However port 60000 is "owned by" postgrey and I can't seem to get past that.
>
> I don't want to add SELinux policy that allows my app to use postgrey's port,
>
> I want my app to think the port is myapp_port_t.
>
>
>
> Is there a way to free port 60000 from postgrey?
No easy way no, the port is declared in the corenetwork source policy which is compiled in the base module. You cannot alter/remove policy that is defined in base without editing rebuilding the whole thing.
You would have to get the selinux-policy.src.rpm corresponding to what you have installed, prep it (apply patch), Than in corenetwork.te.in remove the declaration for the particular port , rebuild and reinstall it.
But why not share the port with postgrey? Only one service can bind to it at a time anyways. Other objects get shared all the time.
>
>
>
> [root at domingo install]# netstat -an | grep 60000
>
> [root at domingo install]# semanage port -l | grep 60000
>
> postgrey_port_t tcp 60000
>
> [root at domingo install]# /usr/sbin/semanage port -d -t postgrey_port_t -p tcp 60000
>
> /usr/sbin/semanage: Port tcp/60000 is defined in policy, cannot be deleted
>
> [root at domingo install]#
>
>
>
>
>
>
>
> Thanks,
>
> Brian
>
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090924/18c74a4e/attachment.sig>
More information about the fedora-selinux-list
mailing list