On 09/24/2009 02:32 AM, Dominick Grift wrote: > On Wed, Sep 23, 2009 at 09:35:40AM -0700, Brian Ginn wrote: >> I want to use port 60000 for a confined application that is not postgrey. >> >> However port 60000 is "owned by" postgrey and I can't seem to get past that. >> >> I don't want to add SELinux policy that allows my app to use postgrey's port, >> >> I want my app to think the port is myapp_port_t. >> >> >> Is there a way to free port 60000 from postgrey? > > No easy way no, the port is declared in the corenetwork source policy which is compiled in the base module. You cannot alter/remove policy that is defined in base without editing rebuilding the whole thing. > > You would have to get the selinux-policy.src.rpm corresponding to what you have installed, prep it (apply patch), Than in corenetwork.te.in remove the declaration for the particular port , rebuild and reinstall it. > > But why not share the port with postgrey? Only one service can bind to it at a time anyways. Other objects get shared all the time. > >> >> >> >> [root@domingo install]# netstat -an | grep 60000 >> >> [root@domingo install]# semanage port -l | grep 60000 >> >> postgrey_port_t tcp 60000 >> >> [root@domingo install]# /usr/sbin/semanage port -d -t postgrey_port_t -p tcp 60000 >> >> /usr/sbin/semanage: Port tcp/60000 is defined in policy, cannot be deleted >> >> [root@domingo install]# >> >> >> >> I agree, your best choice is to just let your app user postgrey_port_t >> >> >> >> Thanks, >> >> Brian >> >> >> ______________________________________________________________________ >> This email has been scanned by the MessageLabs Email Security System. >> For more information please visit http://www.messagelabs.com/email >> ______________________________________________________________________ > >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list@xxxxxxxxxx >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
