[CentOS] SEmodule dependency hell.

Thu Apr 2 15:03:32 UTC 2015
Andrew Holway <andrew.holway at gmail.com>

File a bug!!!

On 2 April 2015 at 16:20, James B. Byrne <byrnejb at harte-lyne.ca> wrote:

>
> On Wed, April 1, 2015 16:09, Andrew Holway wrote:
> > I used the command: semanage port -m -t http_port_t -p tcp 8000
> > to relabel a port. perhaps you could try:
> > "semanage port -m -t unconfined_t -p tcp 8000"
> > Failing that; would it work to run your application in the httpd_t
> > domain?
> >
>
> I ended up having to create a custom policy to allow the other
> application to have access to the http_port_t context.  Which is not
> an issue given that no httpd service is, or will ever be, installed on
> that host.
>
> However, it seems a rather dangerous hole in the logical design of
> SELinux that one cannot explicitly remove and reassign contexts to
> ports.  In order to accomplish this on a system running httpd but
> attached to non-standard ports one perforce is required to cross link
> permissions between all of the affected processes.  Which I cannot
> conceive as a security enhancement.
>
>
> --
> ***          E-Mail is NOT a SECURE channel          ***
> James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
> Harte & Lyne Limited          http://www.harte-lyne.ca
> 9 Brockley Drive              vox: +1 905 561 1241
> Hamilton, Ontario             fax: +1 905 561 0757
> Canada  L8E 3C3
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>