8

I am not satisfied with the answer to this question:

$> sudo semanage port -d -p tcp -t foo...
ValueError: Port foo is defined in policy, cannot be deleted

The accepted answer is

The SELinux policy includes definitions for ports ... There is no need to remove them.

No need to remove them. Okay, but I want to remove them anyway -- I want the SELinux availability of the port to match the actual availability of the port, just for consistency's sake.

How to I semanage port -d for ports defined in the policy? (In my case, ssh.)

Community
  • 1
spraff
  • 549
  • 4
  • 8
  • 18
  • Why are you trying to do this? Again, there is no need to remove these definitions. You are proposing to do something that will make your system extremely difficult to support. – Michael Hampton Dec 28 '16 at 19:11
  • @MichaelHampton Maybe I don't understand what a policy actually *is*. My understanding is that my policy presently allows the SSH socket to open. I want to delete port 22 from the set of usable ports. – spraff Dec 28 '16 at 21:24
  • The threat model is that some compromised program can be made to listen on port 22, which is available because sshd isn't running and SELinux would permit it because it expects ssh to be allowed to run. – spraff Dec 28 '16 at 21:27
  • 2
    A confined program can't bind to that port unless it starts with context `sshd_t` as `/usr/sbin/sshd` does. Apache, for instance, can't bind to port 22 because it runs as `httpd_t`. – Michael Hampton Dec 28 '16 at 23:54

1 Answers1

3

Your option would be to build your own policy module for SSH, removing the part were the port is labelled.

Since you can now load policy modules specifying a priority, your custom module will have a higher precedence. Check the -X,--priority=PRIORITY flag in the semodule manual page for the details.

For the record, I concur with Michael Hampton in that there's no need to remove the port from the policy. It does not increase the security of the system at all, as there are multiple ways to either increase or relax the security (as in SELinux related) management of the SSH server, namely: delete the OpenSSH server to begin with, label the traffic, or, in the other direction, put the SSH server in a permissive domain.

dawud
  • 15,096
  • 3
  • 42
  • 61