[CentOS] SEmodule dependency hell.
Andrew Holway
andrew.holway at gmail.com
Thu Apr 2 15:03:32 UTC 2015
File a bug!!!
On 2 April 2015 at 16:20, James B. Byrne <byrnejb at harte-lyne.ca> wrote:
>
> On Wed, April 1, 2015 16:09, Andrew Holway wrote:
> > I used the command: semanage port -m -t http_port_t -p tcp 8000
> > to relabel a port. perhaps you could try:
> > "semanage port -m -t unconfined_t -p tcp 8000"
> > Failing that; would it work to run your application in the httpd_t
> > domain?
> >
>
> I ended up having to create a custom policy to allow the other
> application to have access to the http_port_t context. Which is not
> an issue given that no httpd service is, or will ever be, installed on
> that host.
>
> However, it seems a rather dangerous hole in the logical design of
> SELinux that one cannot explicitly remove and reassign contexts to
> ports. In order to accomplish this on a system running httpd but
> attached to non-standard ports one perforce is required to cross link
> permissions between all of the affected processes. Which I cannot
> conceive as a security enhancement.
>
>
> --
> *** E-Mail is NOT a SECURE channel ***
> James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
> Harte & Lyne Limited http://www.harte-lyne.ca
> 9 Brockley Drive vox: +1 905 561 1241
> Hamilton, Ontario fax: +1 905 561 0757
> Canada L8E 3C3
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
More information about the CentOS
mailing list