Document URL: https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.1/html/Installation_Guide/sect-Red_Hat_Satellite-Installation_Guide-Prerequisites.html#sect-Red_Hat_Satellite-Installation_Guide-Prerequisites-SELinux_Policy Section Number and Name: 1.4.6. SELinux Policy on Satellite 6 Describe the issue: Paragraph "Important" "If SELinux was disabled .." provides just steps relevant to applying changes to Sat6 processes/files/etc. While important steps from Security manual are missing. Suggestions for improvement: Provide reference / link to [1] (RHEL6) and [2] (RHEL7). State the two commands foreman-selinux-* should be executed when SELinux is in Permissive mode (sort of middle of procedure of [1]/[2]). [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Changing_SELinux_Modes.html#sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Enabling_SELinux [2] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html#sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Enabling_SELinux Additional information:
Pavel or Lukas, 1.4.6. SELinux Policy on Satellite 6 includes the following statement: "For example, if you change the web UI ports (HTTP/HTTPS) to 8018/8019, you need to add these port numbers to the httpd_port_t SELinux port type." Should we extend that example to include how to disassociate the previous port from the port type? e.g., if you want to use 8018 and not 8080 then you might not want to allow access to 8080. Can you provide a suitable example if you think this is necessary? My SELinux is a bit rusty :( thanks
(In reply to David O'Brien from comment #2) > Pavel or Lukas, > > 1.4.6. SELinux Policy on Satellite 6 includes the following statement: > > "For example, if you change the web UI ports (HTTP/HTTPS) to 8018/8019, you > need to add these port numbers to the httpd_port_t SELinux port type." > > Should we extend that example to include how to disassociate the previous > port from the port type? e.g., if you want to use 8018 and not 8080 then you > might not want to allow access to 8080. > > Can you provide a suitable example if you think this is necessary? My > SELinux is a bit rusty :( > > thanks It makes sense but I dont know the command either (I could find it but still wouldnt be sure it's correct). Yet another issue I see here: Assume a user changes the SELinux context for listening port. After upgrading foreman-selinux or other relevant *selinux* package, wont be the original port 8080 allowed again? If so, we should add a notice "dissasociate the allow access to original port by running below command *now* and also after every upgrade of package ???" Lukas, could you pls. provide the SELinux command and confirm&complete my another point?
Hey, sorry for the delay. To unassociate port number with SELinux port type, use -d option of semanage tool. > Yet another issue I see here: Assume a user changes the SELinux context for > listening port. After upgrading foreman-selinux or other relevant *selinux* > package, wont be the original port 8080 allowed again? If so, we should add > a notice "dissasociate the allow access to original port by running below > command *now* and also after every upgrade of package ???" No. We only add default ports if they are not present.