help with a compiled policy and port 443

help with a compiled policy and port 443

[Ralph Blach]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

good afternoon,
I happen to be a novice at selinux and wish more familiar with it.

This worked before but it does not work now.

I wish to put ssh on port 443

Before I used the commands


semanage port -d -t http_port_t -p tcp 443
semanage port -a -t sshd_port_t -p tcp 443

and these worked perfectly.

Now I get the error

semanage port -d -t http_port_t -p tcp 443
/usr/sbin/semanage: Port tcp/443 is defined in policy, cannot be deleted
[root@chipblach ~]#


How do I get around this and and get semanage to function?


what is a defined policy and how I edit it?

Thanks

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJMTfSMAAoJEI46azFTGseheOwP/R8ejDX/ft8ztJAUIPpkV+U1
rNU2LHtRm7h7yIEQpMBBERZs85A9QPPRJSTxilv+YF4a5O9hsEkR2F46Vpo1FWkr
Rxire9jelm0GRbXzm1nU6pQE8vMM0edbJl50iPWN4ju+1fa3gEGYcMLHCMlQYIab
kZWahqk7UuXmuytsjAo8AMq8FOa1ulZZREuB0QLQfOwERHdlwzShMC+kTCOf/O9r
bv62eJyVEdyuqHHKKeZoEnkFQJE8KwisitpOT0/7p90HWDWUkkrr53lGPDNH4ewT
a5c8Wfj5ASOkmkol7M/5zUIH25L1VIuovW0UQd2/37MesfTH+h0Q+7DCoAH3qVYQ
y3tjcB2Umh8aFsBipcsvOy5L6sVocmL4W8bQcXmsLvOV4rbxu5Tg6G941HSEVFoG
tSAdP05tnBSbLGIioY3F+vBsWNU9lIR7yf61FbEuIQSHMUyZdHlMmO8oROxz2zxl
jAl6SvlIY1Gjx5FJSTKG3gD9CW4FFlVtF7/tpmgtLqZz5qPUDtc8tbyJA8gMUSs8
cHlUFM+xGkeQPhwShTYtsgeZUC8zlseUzP4A9fNbVEppylbcb8wCFHvSdu+wj24D
4FJXtpSVit+63jvbA8bDlIzFWd4lXNMb1izsYGW5131O4Hb2lMrSOfSd9ORIycyX
39ZHXFU0jvaSaUObcP2z
=bLwO
-----END PGP SIGNATURE-----


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: help with a compiled policy and port 443

[David P. Quigley]

On Mon, 2010-07-26 at 16:48 -0400, Ralph Blach wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> good afternoon,
> I happen to be a novice at selinux and wish more familiar with it.
> 
> This worked before but it does not work now.
> 
> I wish to put ssh on port 443
> 
> Before I used the commands
> 
> 
> semanage port -d -t http_port_t -p tcp 443
> semanage port -a -t sshd_port_t -p tcp 443
> 
> and these worked perfectly.
> 
> Now I get the error
> 
> semanage port -d -t http_port_t -p tcp 443
> /usr/sbin/semanage: Port tcp/443 is defined in policy, cannot be deleted
> [root@chipblach ~]#
> 
> 
> How do I get around this and and get semanage to function?
> 
> 
> what is a defined policy and how I edit it?
> 
> Thanks
> 

what I did was semanage port -m -t ssh_port_t -p tcp 443 and it added
443 to the list of ports for ssh_port_t. The issue is that 443 is still
listed under the ports for http_port_t as well. If I remember correctly
it should take the last change made as the label for the port. So even
though it says 443 for http_port_t it will match the entry for
ssh_port_t.

Dave


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: help with a compiled policy and port 443

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 1734 bytes --]

On Tue, Jul 27, 2010 at 10:31:31AM -0400, David P. Quigley wrote:
> On Mon, 2010-07-26 at 16:48 -0400, Ralph Blach wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > good afternoon,
> > I happen to be a novice at selinux and wish more familiar with it.
> > 
> > This worked before but it does not work now.
> > 
> > I wish to put ssh on port 443
> > 
> > Before I used the commands
> > 
> > 
> > semanage port -d -t http_port_t -p tcp 443
> > semanage port -a -t sshd_port_t -p tcp 443
> > 
> > and these worked perfectly.
> > 
> > Now I get the error
> > 
> > semanage port -d -t http_port_t -p tcp 443
> > /usr/sbin/semanage: Port tcp/443 is defined in policy, cannot be deleted
> > [root@chipblach ~]#
> > 
> > 
> > How do I get around this and and get semanage to function?
> > 
> > 
> > what is a defined policy and how I edit it?
> > 
> > Thanks
> > 
> 
> what I did was semanage port -m -t ssh_port_t -p tcp 443 and it added
> 443 to the list of ports for ssh_port_t. The issue is that 443 is still
> listed under the ports for http_port_t as well. If I remember correctly
> it should take the last change made as the label for the port. So even
> though it says 443 for http_port_t it will match the entry for
> ssh_port_t.

I do not think it works like that but i could be wrong. tcp 443 is defined in policy for httpd_t.

What you could do it use audit2allow to allow sshd to interact with http_port_t instead.
> 
> Dave
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.

[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]