-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 >>>> what are the actually allowed TCP ports processes in the >>>> tor_t domain are allowed to bind to? (with >>>> tor_bind_all_unreserved_ports --> off tor_can_network_relay >>>> --> on) >>>> >>>> >>>> semanage gives me: tor_port_t tcp 6969, 9001, >>>> 9030, 9050, 9051, 9150 >>>> >>>> but tor can bind to 80,443 or 9000 without problems. (but >>>> for example 5000 is not allowed -> AVCs) >> If you need some custom port for tor binding and you won't use >> 'tor_bind_all_unreserved_ports' boolean, you could use semanage >> tool to label your custom port as tor_port_t. Example: |semanage >> port -a -t tor_port_t -p tcp 5000 That sounds great to allow it to run without allowing more than needed, unfortunately it does not work for every port: ValueError: Port tcp/5000 already defined -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJVJ9pxAAoJEFv7XvVCELh0WtYP/R+BykAepbrd4gvTbQJKawWK eFyeAoSpTc7ZuziFWUrfApkvY9gwgJpVCU000emYhh6x5cKpw9PIUa03gqPGo5zL uk2QbhbvV1S4RdYR2k1BEDK5FdkA5ajptuTI4xsrRj9KPGrVKPA/4owioS2xXSn1 bLw7aTMp8QdxOmdvaGLb9hTyOqecQ5FOeJ/jd1ODrR1j9kNFMBD+sqXpOUxFCclv dzW4GKS6hbPZ1LQ3kcOK4wJyBa2zZiVDLFb20cYWbsRmFz5vcZjMFrXOo0KEnGqW 4iAUbMZEe8ZN9qiS0AIaGaz4l7J/FrbBpuJZ7noeMMR76brMfCr8rPwwcFnLF6G8 4JH1P+Z+ATbsrfrVek2IE61duW7egbFqXgf62St8eDrFR4anqetw53LYkIoSkFvW tOQrEQCnGy7neX7fcpToULJ0Fqhki8J/NtfDqD0nVodLOOeJxTGm0Q+v2jtD3hg4 p/M8Kk5P1woMvPn7UDaYTRB68g6M2JUt3x7kbjE5K/7KeIcvML4Ls/wpiLCtzJ4D CkPa6HaaDPzRHXqM7ZTV+zvhjSc3PueO4BX8CsL/FF7OTmOJyPm6oqK0kxpJtcG8 tRZIMmQyq1BE77TFFzd4KX0PuDz+L167jwcXknVghpadwRubu77SMZ66+AYfn379 fTXLcDY0nY3L/SLiQt5I =JNR0 -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
