SEmodule Dependency Hell.

Home » CentOS » SEmodule Dependency Hell.
CentOS 4 Comments

I want you all to see what I went through trying to simply reassign
(unsuccessfully) the context of a well-known port.

To the best of my ability to recall none of the packages mentioned below are even installed on the host in question. Why are these dependices preventing me from removing a disused SELinux policy.

I have done exactly that, reassign port contexts, in the past without encountering this situation. So it has to be a recent development. I
am not against SELinux. We use it extensively. But this is not security it is simply BS.

It is stuff like this that causes people to say just turn selinux off altogether.

semodule -r apache libsepol.print_missing_requirements: awstats’s global requirements were not met: type/attribute httpd_log_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed!

semodule -r awstats

semodule -r apache libsepol.print_missing_requirements: bugzilla’s global requirements were not met: type/attribute httpd_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed!

semodule -r bugzilla

semodule -r apache libsepol.print_missing_requirements: cobbler’s global requirements were not met: type/attribute httpd_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed!

semodule -r cobbler

semodule -r apache libsepol.print_missing_requirements: collectd’s global requirements were not met: type/attribute httpd_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed!

semodule -r collectd

semodule -r apache libsepol.print_missing_requirements: git’s global requirements were not met: type/attribute httpd_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed!

semodule -r git

semodule -r apache libsepol.print_missing_requirements: gpg’s global requirements were not met: type/attribute httpd_sys_content_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed!

semodule -r gpg

semodule -r apache libsepol.print_missing_requirements: mediawiki’s global requirements were not met: type/attribute httpd_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed!

semodule -r mediawiki

semodule -r apache libsepol.print_missing_requirements: munin’s global requirements were not met: type/attribute httpd_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed!

semodule -r munin

semodule -r apache libsepol.print_missing_requirements: nagios’s global requirements were not met: type/attribute httpd_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed!

semodule -r nagios

semodule -r apache libsepol.print_missing_requirements: w3c’s global requirements were not met: type/attribute httpd_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed!

semodule -r apache libsepol.print_missing_requirements: webadm’s global requirements were not met: type/attribute httpd_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed!

semodule -r webadm

semodule -r apache libsepol.print_missing_requirements: webalizer’s global requirements were not met: type/attribute httpd_sys_content_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed!

semodule -r webalizer

semodule -r apache libsepol.context_from_record: type httpd_openshift_script_exec_t is not defined libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert unconfined_u:object_r:httpd_openshift_script_exec_t:s0 to sid invalid context unconfined_u:object_r:httpd_openshift_script_exec_t:s0
libsemanage.semanage_install_active: setfiles returned error code 1. semodule: Failed!

semodule -R
[root@xnet241 ~]# semanage port -d -t http_port_t -p tcp 80
/usr/sbin/semanage: Port tcp/80 is defined in policy, cannot be deleted

4 thoughts on - SEmodule Dependency Hell.

  • I used the command: semanage port -m -t http_port_t -p tcp 8000
    to relabel a port. perhaps you could try:
    “semanage port -m -t unconfined_t -p tcp 8000”
    Failing that; would it work to run your application in the httpd_t domain?

    Ta,

    Andrew

  • I ended up having to create a custom policy to allow the other application to have access to the http_port_t context. Which is not an issue given that no httpd service is, or will ever be, installed on that host.

    However, it seems a rather dangerous hole in the logical design of SELinux that one cannot explicitly remove and reassign contexts to ports. In order to accomplish this on a system running httpd but attached to non-standard ports one perforce is required to cross link permissions between all of the affected processes. Which I cannot conceive as a security enhancement.

  • You should be able to modify the definition of a port. Or create a new port type and modify the existing port to use it.

    http_port_t is just a name (type) that we can use to group a number of ports together. Sadly we do not separate the port types of incoming and outgoing connections. So if you confined httpd and firefox on the same machine it gets difficult to say firefox is allowed to connect to port
    80,8080,8000 while your httpd service is only able to bind to port 8000, without defining new types and installing custom policy modules.