On 07/17/2013 02:19 PM, Dominick Grift wrote: > On Wed, 2013-07-17 at 14:08 -0800, Erinn Looney-Triggs wrote: >> Sorry to respond to myself but I forgot the vitals: >> >> RHEL 6.4 x64 >> selinux-policy-3.7.19-195.el6_4.12.noarch >> >> -Erinn > > Se its allowed to bind tcp socket to generic tcp port_t type ports if > the allow_ypbind boolean is set ( sesearch with -ASCT would show you > that( > > allow_ypbind boolean is not recommended though since it is very coarse. > > Instead use semanage to label the port (tcp:8891) with one of the > available port types (seinfo -axport_type), then use audit2allow, after > reproducing the event, to allow bind tcp socket to ports with that type > > You can also create a new port type and use that: > > cat > mytest.te <<EOF > policy_module(mytest, 1.0.0) > type myport_t; > corenet_port(myport_t) > > optional_policy(\` > gen_require(\` > type dkim_milter_t; > ') > > allow dkim_milter_t myport_t:tcp_socket name_bind; > ') > EOF > > make -f /usr/share/selinux/devel/Makefile mytest.pp > sudo semodule -i mytest.pp > >> >> -- >> selinux mailing list >> selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux > > Dominick, Thanks a lot I figured there was some gap there that needed bridging in my knowledge, and you kindly pointed me in the right direction. -Erinn
Attachment:
signature.asc
Description: OpenPGP digital signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
