From: Murray McAllister <mmcallis@redhat.com>
To: SE Linux <selinux@tycho.nsa.gov>
Cc: Daniel Walsh <dwalsh@redhat.com>, Eric Paris <eparis@redhat.com>,
James Morris <jmorris@namei.org>
Subject: user guide draft: "Port Numbers"
Date: Thu, 06 Nov 2008 18:10:04 +1000 [thread overview]
Message-ID: <4912A65C.7090906@redhat.com> (raw)
I renamed "Booleans for Confined Services" to "How are Confined Services
Running?", and added a little about port numbers:
[introduction]
Services can be run in a variety of ways. To cater for this, you must
tell SELinux how you are running services. This can be achieved via
Booleans that allow parts of SELinux policy to be changed at runtime,
without any knowledge of SELinux policy writing. This allows changes,
such as allowing services access to NFS file systems, without reloading
or recompiling SELinux policy. Also, running services on non-default
port numbers requires policy configuration to be updated via the
semanage command.
...
Port Numbers
Depending on policy configuration, services may only be allowed to run
on certain port numbers. Attempting to change which port a servers runs
on without changing policy may result in the service failing to start.
For example, run the semanage port -l | grep http command to list http
related ports:
[example output]
The http_port_t port type defines which ports the Apache HTTP Server can
listen on, which in this case, are TCP ports 80, 443, 488, 8008, 8009,
and 8443. If an administrator configures httpd.conf so that httpd
listens on port 9876 (Listen 9876), but policy is not updated to reflect
this, the service httpd start command fails:
[example output]
An SELinux denial similar to the following is logged to
/var/log/audit/audit.log:
[example output]
To allow httpd to listen on a port that is not listed for the
http_port_t port type, run the semanage port command to add it to policy
configuration[1]:
# /usr/sbin/semanage port -a -t http_port_t -p tcp 9876
The -a option adds a new record; the -t option defines a type; and the
-p option defines a protocol. The last argument is the port number to add.
Thanks!
[1] The semanage port -a command adds an entry to the
/etc/selinux/targeted/modules/active/ports.local file. Note: by default,
this file can only be viewed by the Linux root user.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next reply other threads:[~2008-11-06 8:10 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-11-06 8:10 Murray McAllister [this message]
2008-11-07 8:08 ` user guide draft: "Port Numbers" Jan-Frode Myklebust
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4912A65C.7090906@redhat.com \
--to=mmcallis@redhat.com \
--cc=dwalsh@redhat.com \
--cc=eparis@redhat.com \
--cc=jmorris@namei.org \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.