[CentOS] SEmodule dependency hell.
James B. Byrne
byrnejb at harte-lyne.ca
Thu Apr 2 14:20:56 UTC 2015
On Wed, April 1, 2015 16:09, Andrew Holway wrote:
> I used the command: semanage port -m -t http_port_t -p tcp 8000
> to relabel a port. perhaps you could try:
> "semanage port -m -t unconfined_t -p tcp 8000"
> Failing that; would it work to run your application in the httpd_t
> domain?
>
I ended up having to create a custom policy to allow the other
application to have access to the http_port_t context. Which is not
an issue given that no httpd service is, or will ever be, installed on
that host.
However, it seems a rather dangerous hole in the logical design of
SELinux that one cannot explicitly remove and reassign contexts to
ports. In order to accomplish this on a system running httpd but
attached to non-standard ports one perforce is required to cross link
permissions between all of the affected processes. Which I cannot
conceive as a security enhancement.
--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
More information about the CentOS
mailing list