-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 > If you need to bind on defined port, there is a way to make "local" > policy with rule allowing this. To build local policy follow this: > 1. Generate AVC (in your case tor is binding to port 5000) 2. Store > this AVC in some file. (like tor_local.txt) 3. use: $ cat > ./tor_local.txt | audit2allow -M tor_local 4. use: # semodule -i > tor_local.pp I'm aware of this process but it is not applicable in an ansible role [1] (my use case). > Last thing, be careful with this. Make local policies when you > know what you are allowing due to security reasons. Yes, you definitely don't want to perform this blindly and automatically . I would have no problem running semanage port -a ... $port since the user's selected tor ports are obviously available - that would have been a neat solution to create tailored SELinux adjustment without the user even noticing and still working out of the box with arbitrary ports. Probably to nice to actually work. [1] https://github.com/nusenu/ansible-relayor -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJVLCVfAAoJEFv7XvVCELh0oY0P/0TcVMtpg/e6V8CluAybMhBv x4YDMWCYzZ6gfYFOig/B1m1TemOuopfmAlwgb0O87LWwnVG3+LNrnC3Cm/+D5LhQ TdUFsnRV101LbeyDbf4nVnc0Pw35m9zC9E9IA3MZCBrnou8AosXBqMigAPMQUGdA cQzM1hMdWaVy7fEt80W6Wq8YtlhnNeFe7qpOUbELMOEkAmZG0UMh9lHHOwhfZlFE W/2qBFTC5ImvMJKMZ8oVGs+RSKUkVny3dOebCvvKvmsxJzFxVraIHKMax7RecVbT Td70u1Ulke9BqlzI9si2cPH33xbbqeV0pkqmXBKoeHNJugxtpEcGnWYAEEAH0Qiw P9JxJyXGgonj/Au8eXizxXGv7+pfJG/us8bRmEAFUnpxYYJe12zczDcpwGwEn/71 puwQgDMfUODHRt9Mj/LJX5kC9dqPij4BHgVdGEvPBEgqZeBsLkWC460aGspXap0O XXmAz2Aw1QILM5PXgybhmlmZeQW3jhKq1LsUl9vHXHgJ0I0Ry10LLcgDTtJ2FIGv NKlR6j91PI9wtzf5DkUuL8Rgj15ITlZVBwmEpWK3Pde4PqoBz4OJbzjYbWshh3KV LuZGTUaI+Y4ef3Y7cJ2a58GZ+1vHfep7f9WMH+XeYzVbN1MHYQHylzAfzk/YM6Wt smkiTlosQ4+lTIdDFZWz =rFg3 -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
