Remove port from selinux policy

Support for security such as Firewalls and securing linux
Post Reply
jscarville
Posts: 135
Joined: 2014/06/17 21:50:37

Remove port from selinux policy

Post by jscarville » 2021/04/30 16:02:38

I am trying to get the ESET AV software working on my employer's system. The firewall we have (Cisco Firepower) does not handle a generic many-to-one NAT IP, an allow list, and a country blacklist as expected. ESET is in Slovakia and their registration server is in the country blacklist.

So I need a proxy server to handle the traffic. One of the ports their software defaults to is 3128 which I cannot add to selinuix for http_port_t.

Code: Select all

sudo semanage port -a -t http_port_t -p tcp 3128
ValueError: Port tcp/3128 already defined
If I search for the port I get

Code: Select all

sudo semanage port -l | grep 3128
squid_port_t                   tcp      3128, 3401, 4827
But, if I try to remove it from squid_port_t it is forbidden.

Code: Select all

sudo semanage port -d -t squid_port_t -p tcp 3128
ValueError: Port tcp/3128 is defined in policy, cannot be deleted
It will work if I disable selinux but I would prefer to not do that.

Can this be fixed or should I just figure out how to change the port ESET software uses?

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Remove port from selinux policy

Post by TrevorH » 2021/04/30 16:57:24

The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

jscarville
Posts: 135
Joined: 2014/06/17 21:50:37

Re: Remove port from selinux policy

Post by jscarville » 2021/05/01 14:35:01

Thank you.

I was trying remove the port from squid_port_t when I should have been looking for a way to let httpd and squid share the squid ports. Once past that, I just used audit2allow to produce a policy to allow the sharing.

Post Reply