On Wed, Apr 12, 2023 at 1:55 PM Etienne Champetier <champetier.etienne@xxxxxxxxx> wrote: > > Le mer. 12 avr. 2023 à 11:21, James Carter <jwcart2@xxxxxxxxx> a écrit : > > > > On Wed, Apr 12, 2023 at 1:12 AM Etienne Champetier > > <champetier.etienne@xxxxxxxxx> wrote: > > > > > > Hello, > > > > > > Is there a way to ship a cil module changing the type of port 80 ? > > > > > > ie something like > > > > (portcon tcp 80 (system_u object_r websm_port_t ((s0)(s0)))) > > > > > > When I try to install such module I get an error, I guess because port > > > 80 is already defined > > > > Problems processing portcon rules > > > > Failed post db handling > > > > semodule: Failed! > > > > > > Best > > > Etienne > > > > The portcon rules are all in the base module. > > > > You could do the following (on a Fedora system): > > 1) Extract the base module into a cil file > > semodule -cE base > > 2) Modify the portcon rule for tcp 80 > > 3) Install the modified base module at a higher priority > > semodule -X 200 -i base.cil > > > > The original base module will still exist at priority 100. > > You can see that by doing: > > semodule -lfull > > > > You can remove the higher priority module later by doing: > > semodule -X 200 -r base > > > > That will revert you back to the original base module. > > Thanks for the hack, indeed modifying base could be a solution > > I'm still wondering why the limitation exists (I only tested on Alma 8), > I can ship a portcon rule in a .cil module if the port is not already defined, > and ports.local is basically just portcon rules, > no special modifier to say that we are modifying an existing ports > The problem is that only one rule can apply to a given port. If you have multiple rules, then which one do you use? If you just use the last portcon rule, then the ordering of rules becomes important. In CIL, we did not want the order of the rules to matter. If you used a special modifier, then you still have the problem of what to do if two portcon rules used the special modifier. If all the portcon rules were in a separate module, then we could probably modify semanage to track portcon rules and update that module as necessary. But there hasn't been much demand for that. Jim > > I hope that helps. > > Jim
