[rhelv6-list] Modifications to the Base SELinux Policy
Matthias Saou
matthias at saou.eu
Thu Jun 13 12:02:59 UTC 2013
On Thu, 13 Jun 2013 08:18:15 -0230
Damian Gerow <dgerow at afflictions.org> wrote:
> A while back, I started writing some policy modules for some in-house
> software. Unfortunately, this software used a port that was claimed
> by hplip_port_t somewhere in the base policy, and there didn't seem
> to be a way to remove the port from hplip_port_t:
>
> Port tcp/xxxx is defined in policy, cannot be deleted
>
> The 'fix' I have for this is that we now have our own base policy,
> that is simply the 'targeted' policy with the appropriate ports
> removed from hplip_port_t. Which is a giant pain, as we now have to
> re-compile our base policy, updated to the new source, whenever
> there's an SELinux update.
>
> Is there a better way to override a port that's defined in the base
> policy, or is providing a different base policy the way to go?
>
> (Changing the port for our software is a non-option at this point,
> unfortunately.)
What about a "mildly-ugly" solution of allowing access to ports of
hplip_port_t type in your custom module? It does have the downside of
allowing binding to a lot more ports than you need (I see 18), but
that's probably not a major issue.
Matthias
--
Matthias Saou ██ ██
██ ██
Web: http://matthias.saou.eu/ ██████████████
Mail/XMPP: matthias at saou.eu ████ ██████ ████
██████████████████████
GPG: 4096R/E755CC63 ██ ██████████████ ██
8D91 7E2E F048 9C9C 46AF ██ ██ ██ ██
21A9 7A51 7B82 E755 CC63 ████ ████
More information about the rhelv6-list
mailing list