Playing with SELinux ... part 2

But we want to see whether it really works and how we can use Permissive Domains.

We will setup the httpd service to listen on 631/tcp port which is used by CUPS. The portreserve service should prevent to apache from using this port. This is a way how portreserve works.

# man portreserve
portreserve - reserve ports to prevent portmap mapping them

Make sure portreserve is running.

# service portreserve status 2>&1 >/dev/null; echo $?;

Setup apache, portreserve and try to restart apache.

# if [ -e /etc/portreserve/cups ]; then echo "The file exists"; else `echo "ipp" > /etc/portreserve/cups`;service portreserve restart;fi;
# sed -i s/^Listen\ [0-9][0-9]*/Listen\ 631/ /etc/httpd/conf/httpd.conf
# date_time=`date | cut -d " " -f 5`
# service httpd start 2>&1 >/dev/null; echo $?;

What is a reason apache is not running? Either because portreserve works or because of SELinux? We should analyze it. But probably you already know answer and maybe sealert is showing it to you.

# ausearch -m avc -ts $date_time | audit2allow
# #============= httpd_t ==============
# #!!!! This avc can be allowed using the boolean 'allow_ypbind'
# allow httpd_t ipp_port_t:tcp_socket name_bind;

In deed, apache is not allowed to use 631/tcp port which is expected. But we want to allow it for our test. How can we do it?

Turn off SELinux, set the machine to permissive mode?

Answer is NO!!!

You can allow it using a local policy.

# grep avc /var/log/audit/audit.log | audit2alow -M mypol
# semodule -i mypol.pp

or use "Permissive Domains".

# semanage permissive -a httpd_t

This is a way how we do it. How we debug an existing policy, how people can really help us with testing of policies. I like this feature. Make our and your life much more easier and safer!

# semanage permissive -l | grep -w httpd_t

So now we can restart apache and finally see if portreserve works.

# service httpd start 2>&1 >/dev/null; echo $?;

Heya, it works! Are you sceptic?

# service portreserve stop
# service httpd start
# echo $?

We are done. I believe you like SELinux more now.

Also you should replace your local portreserve policy by the defaul policy.

# semodule -r portreserve.pp -i /usr/share/selinux/targeted/portreserve.pp.bz2
# for files in `rpm -ql portreserve | grep -E "(etc|bin|log|lib|run)"`;do restorecon -R -v $files;done;
# semanage permissive -d httpd