On 08/01/2010 06:22 PM, Ralph Blach wrote: > To be specific, I want to run sshd on port 443, and not port 22, because > of all the hackers probe port 22. > > port 443 looks like httpd traffic and therefore is not really supicious. > > That is what I need to achieve so i need to modify the corenetwork > module to do this. > > How is this done and where is the source for the core network module? Try this: mkdir ~/mysshd; cd ~/mysshd; cat <mysshd.te policy_module(mysshd, 1.0.0) gen_require(` type shorewall_t; ') corenet_tcp_bind_http_ports(sshd_t) D_G That custom policy module should allow sshd to bind tcp sockets to http ports (including tcp:443) You can find source policy in the source package for your policy. Here is the policy browser from upstream: http://oss.tresys.com/projects/refpolicy/browser > Thanks > > Chip > > > > On 08/01/2010 12:02 PM, Dominick Grift wrote: >> On 08/01/2010 05:43 PM, Ralph Blach wrote: >>> I have discovered that ports 443 and 22 are in module tcp. >>> >>> How do i rewrite module tcp so that I can configure as I want it. >>> >>> Where do I find module tcp? >>> >>> I did a semanage port -l | grep 22 and module tcp was listed. >>> I did the same for port 443 >>> >>> Thanks > >> ports are declared (defined) in the corenetwork module. This module is >> part of the base module. modules that are part of the base module are >> not listed with semodule -l. > >> What exactly do you want to achieve? If you are specific about your >> requirements we can try to help you implement it. > >>> Chip >>> >>> On 07/27/2010 08:29 PM, Jason Axelson wrote: >>>> On Tue, Jul 27, 2010 at 2:20 PM, Ralph Blach wrote: >>>>> how do I use semanage to list the policy modules. >>> >>>> Hi Chip, >>> >>>> Perhaps you are looking for "semodule -l"? That will list out all the >>>> installed policy modules (besides base). >>> >>>> Jason >>> >>> > >> -- >> This message was distributed to subscribers of the selinux mailing list. >> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov >> with >> the words "unsubscribe selinux" without quotes as the message. > > >