我有一个 SELinux 模块,除其他功能外,它允许 Apache 通过 TCP 连接到特定端口:
cat <<EOF > sgtest.te
module sgtest 1.0.0;
require {
attribute port_type;
type httpd_t;
class tcp_socket name_socket;
}
type my_port_t, port_type;
allow httpd_t my_port_t:tcp_socket name_socket;
EOF
echo > sgtest.fc
checkmodule -M -m -o sgtest.mod sgtest.te
semodule_package -o sgtest.pp -m sgtest.mod -f sgtest.fc
semodule -i sgtest.pp
semanage port -a -t my_port_t -p tcp 2002
安装成功并且规则似乎可以正常运行。
该端口肯定已安装:
$ semanage port -l | grep my_port_t
my_port_t tcp 2002
但是,我无法删除该模块:
$ semodule -r sgtest
libsemanage.semanage_direct_remove_key: Removing last sgtest module (no other sgtest module exists at another priority).
libsepol.context_from_record: type my_port_t is not defined (No such file or directory).
libsepol.context_from_record: could not create context structure (Invalid argument).
libsepol.port_from_record: could not create port structure for range 2002:2002 (tcp) (Invalid argument).
libsepol.sepol_port_modify: could not load port range 2002 - 2002 (tcp) (Invalid argument).
libsemanage.dbase_policydb_modify: could not modify record value (Invalid argument).
libsemanage.semanage_base_merge_components: could not merge local modifications into policy (Invalid argument).
semodule: Failed!
这是在 CentOS 7.4.1708 上。
我做错了什么?
答案1
我不明白这是如何工作的,或者它与错误消息有何关系,但我发现如果我先删除端口,我就可以摆脱这种情况:
semanage port -d -p tcp 2002
semodule -r sgtest