user guide draft: "Port Numbers"

user guide draft: "Port Numbers"

[Murray McAllister]

I renamed "Booleans for Confined Services" to "How are Confined Services 
Running?", and added a little about port numbers:

[introduction]

Services can be run in a variety of ways. To cater for this, you must 
tell SELinux how you are running services. This can be achieved via 
Booleans that allow parts of SELinux policy to be changed at runtime, 
without any knowledge of SELinux policy writing. This allows changes, 
such as allowing services access to NFS file systems, without reloading 
or recompiling SELinux policy. Also, running services on non-default 
port numbers requires policy configuration to be updated via the 
semanage command.

...

Port Numbers

Depending on policy configuration, services may only be allowed to run 
on certain port numbers. Attempting to change which port a servers runs 
on without changing policy may result in the service failing to start. 
For example, run the semanage port -l | grep http command to list http 
related ports:

[example output]

The http_port_t port type defines which ports the Apache HTTP Server can 
listen on, which in this case, are TCP ports 80, 443, 488, 8008, 8009, 
and 8443. If an administrator configures httpd.conf so that httpd 
listens on port 9876 (Listen 9876), but policy is not updated to reflect 
this, the service httpd start command fails:

[example output]

  An SELinux denial similar to the following is logged to 
/var/log/audit/audit.log:

[example output]

To allow httpd to listen on a port that is not listed for the 
http_port_t port type, run the semanage port command to add it to policy 
configuration[1]:

# /usr/sbin/semanage port -a -t http_port_t -p tcp 9876

The -a option adds a new record; the -t option defines a type; and the 
-p option defines a protocol. The last argument is the port number to add.

Thanks!


[1] The semanage port -a command adds an entry to the 
/etc/selinux/targeted/modules/active/ports.local file. Note: by default, 
this file can only be viewed by the Linux root user.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: user guide draft: "Port Numbers"

[Jan-Frode Myklebust]

On Thu, Nov 06, 2008 at 06:10:04PM +1000, Murray McAllister wrote:
> I renamed "Booleans for Confined Services" to "How are Confined Services  
> Running?", and added a little about port numbers:
>
> ...
>
> Port Numbers
>
> Depending on policy configuration, services may only be allowed to run  
> on certain port numbers. Attempting to change which port a servers runs  
> on without changing policy may result in the service failing to start.  
> For example, run the semanage port -l | grep http command to list http  
> related ports:

Can one redefine the policy defined http_port's ? I.e. change port 80
from http_port_t to http_cache_port_t ? I don't think this is possible, 
but it would be nice with some clarification in the user guide..


  -jf

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.