SELinux port “defined in policy, cannot be deleted”

selinux

I am not satisfied with the answer to this question:

$> sudo semanage port -d -p tcp -t foo...
ValueError: Port foo is defined in policy, cannot be deleted

The accepted answer is

The SELinux policy includes definitions for ports … There is no need to remove them.

No need to remove them. Okay, but I want to remove them anyway — I want the SELinux availability of the port to match the actual availability of the port, just for consistency's sake.

How to I semanage port -d for ports defined in the policy? (In my case, ssh.)

Best Answer

Your option would be to build your own policy module for SSH, removing the part were the port is labelled.

Since you can now load policy modules specifying a priority, your custom module will have a higher precedence. Check the -X,--priority=PRIORITY flag in the semodule manual page for the details.

For the record, I concur with Michael Hampton in that there's no need to remove the port from the policy. It does not increase the security of the system at all, as there are multiple ways to either increase or relax the security (as in SELinux related) management of the SSH server, namely: delete the OpenSSH server to begin with, label the traffic, or, in the other direction, put the SSH server in a permissive domain.

Related Solutions

Best way to manage custom ports in SELinux

semanage creates new modules which are not under the control of the policy package. When the policy package is upgraded, these modules will remain and will be applied to the new policy when it is loaded.

FreeIPA – Granting Sudo Access to SELinux Confined User

You are aware that you can move into the sysadm_r role as staff_u right?

For example, the following below would work.

myuser  ALL=(ALL)   TYPE=sysadm_t ROLE=sysadm_r PASSWD: ALL

This will allow you to do (almost) what you can do as root as unconfined.

Oh and one final tip. Using su is a bit tricky with RBAC (it does a lot of stuff which gets it into all sorts of places). Instead you can use the runuser command which does the same thing without a lot of su overheads.

I actually restrict su use in sudoers like so;

%wheel   ALL=(ALL)   TYPE=sysadm_t ROLE=sysadm_r NOPASSWD: ALL, ! /bin/su

Because by default the SELinux policy doesn't allow the sudo transition to manage the necessary signals. Really people should probably just use sudo -i anyway.

I normally hardlink runuser to ru as a two-letter replacement for people who prefer to run sudo su - out of a bad habit (like me!).

Best Answer

Related Solutions

Best way to manage custom ports in SELinux

FreeIPA – Granting Sudo Access to SELinux Confined User

Related Topic