Le mer. 12 avr. 2023 à 11:21, James Carter <jwcart2@xxxxxxxxx> a écrit : > > On Wed, Apr 12, 2023 at 1:12 AM Etienne Champetier > <champetier.etienne@xxxxxxxxx> wrote: > > > > Hello, > > > > Is there a way to ship a cil module changing the type of port 80 ? > > > > ie something like > > > (portcon tcp 80 (system_u object_r websm_port_t ((s0)(s0)))) > > > > When I try to install such module I get an error, I guess because port > > 80 is already defined > > > Problems processing portcon rules > > > Failed post db handling > > > semodule: Failed! > > > > Best > > Etienne > > The portcon rules are all in the base module. > > You could do the following (on a Fedora system): > 1) Extract the base module into a cil file > semodule -cE base > 2) Modify the portcon rule for tcp 80 > 3) Install the modified base module at a higher priority > semodule -X 200 -i base.cil > > The original base module will still exist at priority 100. > You can see that by doing: > semodule -lfull > > You can remove the higher priority module later by doing: > semodule -X 200 -r base > > That will revert you back to the original base module. Thanks for the hack, indeed modifying base could be a solution I'm still wondering why the limitation exists (I only tested on Alma 8), I can ship a portcon rule in a .cil module if the port is not already defined, and ports.local is basically just portcon rules, no special modifier to say that we are modifying an existing ports > I hope that helps. > Jim
