On Wed, Sep 23, 2009 at 09:35:40AM -0700, Brian Ginn wrote: > I want to use port 60000 for a confined application that is not postgrey. > > However port 60000 is "owned by" postgrey and I can't seem to get past that. > > I don't want to add SELinux policy that allows my app to use postgrey's port, > > I want my app to think the port is myapp_port_t. > > > > Is there a way to free port 60000 from postgrey? No easy way no, the port is declared in the corenetwork source policy which is compiled in the base module. You cannot alter/remove policy that is defined in base without editing rebuilding the whole thing. You would have to get the selinux-policy.src.rpm corresponding to what you have installed, prep it (apply patch), Than in corenetwork.te.in remove the declaration for the particular port , rebuild and reinstall it. But why not share the port with postgrey? Only one service can bind to it at a time anyways. Other objects get shared all the time. > > > > [root@domingo install]# netstat -an | grep 60000 > > [root@domingo install]# semanage port -l | grep 60000 > > postgrey_port_t tcp 60000 > > [root@domingo install]# /usr/sbin/semanage port -d -t postgrey_port_t -p tcp 60000 > > /usr/sbin/semanage: Port tcp/60000 is defined in policy, cannot be deleted > > [root@domingo install]# > > > > > > > > Thanks, > > Brian > > > ______________________________________________________________________ > This email has been scanned by the MessageLabs Email Security System. > For more information please visit http://www.messagelabs.com/email > ______________________________________________________________________ > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Attachment:
pgpLlDO5fPLgf.pgp
Description: PGP signature
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
