But we want to see whether it really works and how we can use Permissive Domains.
We will setup the httpd service to listen on 631/tcp port which is used by CUPS. The portreserve service should prevent to apache from using this port. This is a way how portreserve works.
# man portreserveportreserve - reserve ports to prevent portmap mapping them
Make sure portreserve is running.
# service portreserve status 2>&1 >/dev/null; echo $?;0Setup apache, portreserve and try to restart apache.
# if [ -e /etc/portreserve/cups ]; then echo "The file exists"; else `echo "ipp" > /etc/portreserve/cups`;service portreserve restart;fi;# sed -i s/^Listen\ [0-9][0-9]*/Listen\ 631/ /etc/httpd/conf/httpd.conf# date_time=`date | cut -d " " -f 5`# service httpd start 2>&1 >/dev/null; echo $?;1What is a reason apache is not running? Either because portreserve works or because of SELinux? We should analyze it. But probably you already know answer and maybe sealert is showing it to you.
# ausearch -m avc -ts $date_time | audit2allow### #============= httpd_t ==============# #!!!! This avc can be allowed using the boolean 'allow_ypbind'## allow httpd_t ipp_port_t:tcp_socket name_bind;In deed, apache is not allowed to use 631/tcp port which is expected. But we want to allow it for our test. How can we do it?
Turn off SELinux, set the machine to permissive mode?
Answer is NO!!!
You can allow it using a local policy.
# grep avc /var/log/audit/audit.log | audit2alow -M mypol# semodule -i mypol.ppor use "Permissive Domains".
# semanage permissive -a httpd_tThis is a way how we do it. How we debug an existing policy, how people can really help us with testing of policies. I like this feature. Make our and your life much more easier and safer!
# semanage permissive -l | grep -w httpd_thttpd_tSo now we can restart apache and finally see if portreserve works.
# service httpd start 2>&1 >/dev/null; echo $?;1Heya, it works! Are you sceptic?
# service portreserve stop# service httpd start# echo $?0We are done. I believe you like SELinux more now.
Also you should replace your local portreserve policy by the defaul policy.
# semodule -r portreserve.pp -i /usr/share/selinux/targeted/portreserve.pp.bz2# for files in `rpm -ql portreserve | grep -E "(etc|bin|log|lib|run)"`;do restorecon -R -v $files;done;# semanage permissive -d httpd