Re: [CentOS] SEmodule dependency hell.
You should be able to modify the definition of a port. Or create a new port type and modify the existing port to use it. http_port_t is just a name (type) that we can use to group a number of ports together. Sadly we do not separate the port types of incoming and outgoing connections. So if you confined httpd and firefox on the same machine it gets difficult to say firefox is allowed to connect to port 80,8080,8000 while your httpd service is only able to bind to port 8000, without defining new types and installing custom policy modules. On 04/02/2015 11:03 AM, Andrew Holway wrote: > File a bug!!! > > On 2 April 2015 at 16:20, James B. Byrne wrote: > >> On Wed, April 1, 2015 16:09, Andrew Holway wrote: >>> I used the command: semanage port -m -t http_port_t -p tcp 8000 >>> to relabel a port. perhaps you could try: >>> "semanage port -m -t unconfined_t -p tcp 8000" >>> Failing that; would it work to run your application in the httpd_t >>> domain? >>> >> I ended up having to create a custom policy to allow the other >> application to have access to the http_port_t context. Which is not >> an issue given that no httpd service is, or will ever be, installed on >> that host. >> >> However, it seems a rather dangerous hole in the logical design of >> SELinux that one cannot explicitly remove and reassign contexts to >> ports. In order to accomplish this on a system running httpd but >> attached to non-standard ports one perforce is required to cross link >> permissions between all of the affected processes. Which I cannot >> conceive as a security enhancement. >> >> >> -- >> *** E-Mail is NOT a SECURE channel *** >> James B. Byrnemailto:byrn...@harte-lyne.ca >> Harte & Lyne Limited http://www.harte-lyne.ca >> 9 Brockley Drive vox: +1 905 561 1241 >> Hamilton, Ontario fax: +1 905 561 0757 >> Canada L8E 3C3 >> >> ___ >> CentOS mailing list >> CentOS@centos.org >> http://lists.centos.org/mailman/listinfo/centos >> > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SEmodule dependency hell.
File a bug!!! On 2 April 2015 at 16:20, James B. Byrne wrote: > > On Wed, April 1, 2015 16:09, Andrew Holway wrote: > > I used the command: semanage port -m -t http_port_t -p tcp 8000 > > to relabel a port. perhaps you could try: > > "semanage port -m -t unconfined_t -p tcp 8000" > > Failing that; would it work to run your application in the httpd_t > > domain? > > > > I ended up having to create a custom policy to allow the other > application to have access to the http_port_t context. Which is not > an issue given that no httpd service is, or will ever be, installed on > that host. > > However, it seems a rather dangerous hole in the logical design of > SELinux that one cannot explicitly remove and reassign contexts to > ports. In order to accomplish this on a system running httpd but > attached to non-standard ports one perforce is required to cross link > permissions between all of the affected processes. Which I cannot > conceive as a security enhancement. > > > -- > *** E-Mail is NOT a SECURE channel *** > James B. Byrnemailto:byrn...@harte-lyne.ca > Harte & Lyne Limited http://www.harte-lyne.ca > 9 Brockley Drive vox: +1 905 561 1241 > Hamilton, Ontario fax: +1 905 561 0757 > Canada L8E 3C3 > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SEmodule dependency hell.
On Wed, April 1, 2015 16:09, Andrew Holway wrote: > I used the command: semanage port -m -t http_port_t -p tcp 8000 > to relabel a port. perhaps you could try: > "semanage port -m -t unconfined_t -p tcp 8000" > Failing that; would it work to run your application in the httpd_t > domain? > I ended up having to create a custom policy to allow the other application to have access to the http_port_t context. Which is not an issue given that no httpd service is, or will ever be, installed on that host. However, it seems a rather dangerous hole in the logical design of SELinux that one cannot explicitly remove and reassign contexts to ports. In order to accomplish this on a system running httpd but attached to non-standard ports one perforce is required to cross link permissions between all of the affected processes. Which I cannot conceive as a security enhancement. -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SEmodule dependency hell.
I used the command: semanage port -m -t http_port_t -p tcp 8000 to relabel a port. perhaps you could try: "semanage port -m -t unconfined_t -p tcp 8000" Failing that; would it work to run your application in the httpd_t domain? Ta, Andrew On 1 April 2015 at 18:23, James B. Byrne wrote: > I want you all to see what I went through trying to simply reassign > (unsuccessfully) the context of a well-known port. > > To the best of my ability to recall none of the packages mentioned > below are even installed on the host in question. Why are these > dependices preventing me from removing a disused SELinux policy. > > I have done exactly that, reassign port contexts, in the past without > encountering this situation. So it has to be a recent development. I > am not against SELinux. We use it extensively. But this is not > security it is simply BS. > > It is stuff like this that causes people to say just turn selinux off > altogether. > > > semodule -r apache > libsepol.print_missing_requirements: awstats's global requirements > were not met: type/attribute httpd_log_t (No such file or directory). > libsemanage.semanage_link_sandbox: Link packages failed (No such file > or directory). > semodule: Failed! > > semodule -r awstats > > semodule -r apache > libsepol.print_missing_requirements: bugzilla's global requirements > were not met: type/attribute httpd_t (No such file or directory). > libsemanage.semanage_link_sandbox: Link packages failed (No such file > or directory). > semodule: Failed! > > semodule -r bugzilla > > semodule -r apache > libsepol.print_missing_requirements: cobbler's global requirements > were not met: type/attribute httpd_t (No such file or directory). > libsemanage.semanage_link_sandbox: Link packages failed (No such file > or directory). > semodule: Failed! > > semodule -r cobbler > > semodule -r apache > libsepol.print_missing_requirements: collectd's global requirements > were not met: type/attribute httpd_t (No such file or directory). > libsemanage.semanage_link_sandbox: Link packages failed (No such file > or directory). > semodule: Failed! > > semodule -r collectd > > semodule -r apache > libsepol.print_missing_requirements: git's global requirements were > not met: type/attribute httpd_t (No such file or directory). > libsemanage.semanage_link_sandbox: Link packages failed (No such file > or directory). > semodule: Failed! > > semodule -r git > > semodule -r apache > libsepol.print_missing_requirements: gpg's global requirements were > not met: type/attribute httpd_sys_content_t (No such file or > directory). > libsemanage.semanage_link_sandbox: Link packages failed (No such file > or directory). > semodule: Failed! > > semodule -r gpg > > semodule -r apache > libsepol.print_missing_requirements: mediawiki's global requirements > were not met: type/attribute httpd_t (No such file or directory). > libsemanage.semanage_link_sandbox: Link packages failed (No such file > or directory). > semodule: Failed! > > semodule -r mediawiki > > semodule -r apache > libsepol.print_missing_requirements: munin's global requirements were > not met: type/attribute httpd_t (No such file or directory). > libsemanage.semanage_link_sandbox: Link packages failed (No such file > or directory). > semodule: Failed! > > semodule -r munin > > semodule -r apache > libsepol.print_missing_requirements: nagios's global requirements were > not met: type/attribute httpd_t (No such file or directory). > libsemanage.semanage_link_sandbox: Link packages failed (No such file > or directory). > semodule: Failed! > > semodule -r nagios > > semodule -r apache > libsepol.print_missing_requirements: w3c's global requirements were > not met: type/attribute httpd_t (No such file or directory). > libsemanage.semanage_link_sandbox: Link packages failed (No such file > or directory). > semodule: Failed! > > semodule -r apache > libsepol.print_missing_requirements: webadm's global requirements were > not met: type/attribute httpd_t (No such file or directory). > libsemanage.semanage_link_sandbox: Link packages failed (No such file > or directory). > semodule: Failed! > > semodule -r webadm > > semodule -r apache > libsepol.print_missing_requirements: webalizer's global requirements > were not met: type/attribute httpd_sys_content_t (No such file or > directory). > libsemanage.semanage_link_sandbox: Link packages failed (No such file > or directory). > semodule: Failed! > > semodule -r webalizer > > semodule -r apache > libsepol.context_from_record: type httpd_openshift_script_exec_t is > not defined > libsepol.context_from_record: could not create context structure > libsepol.context_from_string: could not create context structure > libsepol.sepol_context_to_sid: could not convert > unconfined_u:object_r:httpd_openshift_script_exec_t:s0 to sid > invalid context unconfined_u:object_r:httpd_openshift_script_exec_t:s0 > libsemanage.semanage_install_active: setfiles returned error code 1. > semodule: Failed! > > se
