[CentOS] SEmodule dependency hell.

James B. Byrne byrnejb at harte-lyne.ca
Thu Apr 2 14:20:56 UTC 2015


On Wed, April 1, 2015 16:09, Andrew Holway wrote:
> I used the command: semanage port -m -t http_port_t -p tcp 8000
> to relabel a port. perhaps you could try:
> "semanage port -m -t unconfined_t -p tcp 8000"
> Failing that; would it work to run your application in the httpd_t
> domain?
>

I ended up having to create a custom policy to allow the other
application to have access to the http_port_t context.  Which is not
an issue given that no httpd service is, or will ever be, installed on
that host.

However, it seems a rather dangerous hole in the logical design of
SELinux that one cannot explicitly remove and reassign contexts to
ports.  In order to accomplish this on a system running httpd but
attached to non-standard ports one perforce is required to cross link
permissions between all of the affected processes.  Which I cannot
conceive as a security enhancement.


-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3




More information about the CentOS mailing list