Bug 1256711
| Summary: | Enabling SELinux: missing reference to "Enabling SELinux" section in Security guide | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Pavel Moravec <pmoravec> |
| Component: | Docs Install Guide | Assignee: | David O'Brien <daobrien> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Stephen Wadeley <swadeley> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.1.0 | CC: | dlackey, hhudgeon, lzap, pmoravec |
| Target Milestone: | Unspecified | Keywords: | SELinux |
| Target Release: | Unused | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-10-13 14:41:17 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Pavel Moravec
2015-08-25 10:11:22 UTC
Pavel or Lukas, 1.4.6. SELinux Policy on Satellite 6 includes the following statement: "For example, if you change the web UI ports (HTTP/HTTPS) to 8018/8019, you need to add these port numbers to the httpd_port_t SELinux port type." Should we extend that example to include how to disassociate the previous port from the port type? e.g., if you want to use 8018 and not 8080 then you might not want to allow access to 8080. Can you provide a suitable example if you think this is necessary? My SELinux is a bit rusty :( thanks (In reply to David O'Brien from comment #2) > Pavel or Lukas, > > 1.4.6. SELinux Policy on Satellite 6 includes the following statement: > > "For example, if you change the web UI ports (HTTP/HTTPS) to 8018/8019, you > need to add these port numbers to the httpd_port_t SELinux port type." > > Should we extend that example to include how to disassociate the previous > port from the port type? e.g., if you want to use 8018 and not 8080 then you > might not want to allow access to 8080. > > Can you provide a suitable example if you think this is necessary? My > SELinux is a bit rusty :( > > thanks It makes sense but I dont know the command either (I could find it but still wouldnt be sure it's correct). Yet another issue I see here: Assume a user changes the SELinux context for listening port. After upgrading foreman-selinux or other relevant *selinux* package, wont be the original port 8080 allowed again? If so, we should add a notice "dissasociate the allow access to original port by running below command *now* and also after every upgrade of package ???" Lukas, could you pls. provide the SELinux command and confirm&complete my another point? Hey, sorry for the delay.
To unassociate port number with SELinux port type, use -d option of semanage tool.
> Yet another issue I see here: Assume a user changes the SELinux context for
> listening port. After upgrading foreman-selinux or other relevant *selinux*
> package, wont be the original port 8080 allowed again? If so, we should add
> a notice "dissasociate the allow access to original port by running below
> command *now* and also after every upgrade of package ???"
No. We only add default ports if they are not present.
|