Page 1 of 1

Remove port from selinux policy

Posted: 2021/04/30 16:02:38
by jscarville
I am trying to get the ESET AV software working on my employer's system. The firewall we have (Cisco Firepower) does not handle a generic many-to-one NAT IP, an allow list, and a country blacklist as expected. ESET is in Slovakia and their registration server is in the country blacklist.

So I need a proxy server to handle the traffic. One of the ports their software defaults to is 3128 which I cannot add to selinuix for http_port_t.

Code: Select all

sudo semanage port -a -t http_port_t -p tcp 3128
ValueError: Port tcp/3128 already defined
If I search for the port I get

Code: Select all

sudo semanage port -l | grep 3128
squid_port_t                   tcp      3128, 3401, 4827
But, if I try to remove it from squid_port_t it is forbidden.

Code: Select all

sudo semanage port -d -t squid_port_t -p tcp 3128
ValueError: Port tcp/3128 is defined in policy, cannot be deleted
It will work if I disable selinux but I would prefer to not do that.

Can this be fixed or should I just figure out how to change the port ESET software uses?

Re: Remove port from selinux policy

Posted: 2021/04/30 16:57:24
by TrevorH

Re: Remove port from selinux policy

Posted: 2021/05/01 14:35:01
by jscarville
Thank you.

I was trying remove the port from squid_port_t when I should have been looking for a way to let httpd and squid share the squid ports. Once past that, I just used audit2allow to produce a policy to allow the sharing.