CentOS - semanage - Delete range of ports

Question

Surprisingly, could not find any clear information on how to delete a range of ports by way of semanage port. Here is a list of permutations I tried:

semanage port -d -t http_port_t -p tcp 0-60000
semanage port -d -t http_port_t -p tcp [1-60000]
semanage port -d -t http_port_t -p tcp 1,60000
semanage port -d -t http_port_t -p tcp 1-60000
semanage port -d -t http_port_t -p tcp 1 60000
semanage port -d -t http_port_t -p tcp 1,60000
semanage port -d -t http_port_t -p tcp <60000
semanage port -d -t http_port_t -p tcp '1-60000'
semanage port -d -t http_port_t -p tcp '1,60000'
semanage port -d -t http_port_t -p tcp 1000-10000

The help message wasn't clear on how to indicate a range:

root@service1 /etc/yum/pluginconf.d # -> semanage -h
/usr/sbin/semanage: 
semanage [ -S store ] -i [ input_file | - ]
semanage [ -S store ] -o [ output_file | - ]

semanage login -{a|d|m|l|D|E} [-nrs] login_name | %groupname
semanage user -{a|d|m|l|D|E} [-LnrRP] selinux_name
semanage port -{a|d|m|l|D|E} [-nrt] [ -p proto ] port | port_range

Answer 1

Well that was impressive, you made me go to source code to find an answer. You did stumble across the proper way to define a range with your first try: two numbers must be separated by a hyphen.

What's hanging you up is this:

(rc, exists) = semanage_port_exists(self.sh, k)
if rc < 0:
    raise ValueError(_("Could not check if port %s/%s is defined") % (proto, port))
if not exists:
    raise ValueError(_("Port %s/%s is not defined") % (proto, port))

If you specify a range of ports when adding a rule, you must specify the same range of ports when deleting a rule. For example:

sudo semanage port -l | grep ^http_port_t
http_port_t                    tcp      80, 443, 488, 8008, 8009, 8443

To delete those, you must call delete once for each port or port range between the commas. They can't be a contiguous range because they weren't defined that way.

Conversely, with this example:

mysqld_port_t                  tcp      1186, 3306, 63132-63163

You can't individually delete 63132 or 63133. You must specify that exact range.

Example of adding and deleting a range:

semanage port --add -t http_port_t -p tcp 8899-8902
semanage port --delete -t http_port_t -p tcp 8899-8902