On Wed, April 1, 2015 16:09, Andrew Holway wrote:
I used the command: semanage port -m -t http_port_t -p tcp 8000 to relabel a port. perhaps you could try: "semanage port -m -t unconfined_t -p tcp 8000" Failing that; would it work to run your application in the httpd_t domain?
I ended up having to create a custom policy to allow the other application to have access to the http_port_t context. Which is not an issue given that no httpd service is, or will ever be, installed on that host.
However, it seems a rather dangerous hole in the logical design of SELinux that one cannot explicitly remove and reassign contexts to ports. In order to accomplish this on a system running httpd but attached to non-standard ports one perforce is required to cross link permissions between all of the affected processes. Which I cannot conceive as a security enhancement.