• 1
If the service denied access to a resource due to SELinux policy, does it know that it is security module preventing it's access? No. But if anyone would add an additional code to the kernel so that applications will get to know that they are denied to access the resource because the security module is preventing it, then error messages of the applications might become more human-readable. What do you think about this idea, Dan?

Well the problem with that is all the kernel is returning is EPERM

Which lots of programs no how to handle. Introducing a new ERRNO would be problematic and would probably caused lots of apps to blow up. Also there are potentially other LSM apps and other ways to get EPERM then just DAC. So I think it is a non starter. We are reporting errors in /var/log/messages if you have setroubleshoot-server installed, and all SELinux error messages show up in /var/log/audit/audit.log

delete vs. modify port types?


But why do you have to modify that port association of port 8008 being a http_port_t to an unreserved port and not just delete the whole http_port_t association? That seems more natural, since port 8008 is already in the unreserved_port_t range?


Re: delete vs. modify port types?

The tool chain can not handle it. If a port definition comes from the base policy , the tool chain does not allow semanage to delete it. You can only modify it to a type that confined domains do not have access to.

  • 1

Log in