Is it possible to persist selinux port statements across reboots?

Question

Currently we need to run something like this every time we start up:

/usr/sbin/semanage port -a -t memcache_port_t -p tcp ${special-snowflake-port}

It would be great if we could persist this across reboots. The answer is to compile the poicy, but the big question is how is this done? Nothing I've seen in the .fc file documentation suggests this could be encoded there and the .te file syntax is kind of hard to read. Yet clearly the per-compiled policies do set stuff, I just can't find how.

What am I missing?

Answer 1

I just tested the command you provide on a CentOS 6.5 system, it performs as expected and adds ${special-snowflake-port} to the tcp memcache_port_t list. Rebooting the test VM didn't change this as seen by

semanage port -l | grep memcache_port_t
memcache_port_t                tcp      11311, 11211
memcache_port_t                udp      11211

This persists until you delete it

semanage port -d -t memcache_port_t -p tcp 11311
semanage port -l | grep memcache_port_t
memcache_port_t                tcp      11211
memcache_port_t                udp      11211

---

What are you misunderstanding ? What causes you to think this is not persistent ?

Answer 2

It turns out they actually are persisted, and I never noticed. semanage stashes file representations of policies in /etc/selinux/${config-file}/modules/active. In my case the list of ports is in:

/etc/selinux/targeted/modules/active/ports.local

This is filled with entries similar to this:

portcon tcp 11222 system_u:object_r:memcache_port_t:s0

This directory gets regenerated any time a rule is added (-a) or deleted (-d) by semanage.

file_contexts is the file persisting file contexts.

This is handy, since these files grep faster than semanage -l output can be generated.