我有一個 SELinux 模組,除其他外,它允許 Apache 透過 TCP 連接到特定連接埠:
cat <<EOF > sgtest.te
module sgtest 1.0.0;
require {
attribute port_type;
type httpd_t;
class tcp_socket name_socket;
}
type my_port_t, port_type;
allow httpd_t my_port_t:tcp_socket name_socket;
EOF
echo > sgtest.fc
checkmodule -M -m -o sgtest.mod sgtest.te
semodule_package -o sgtest.pp -m sgtest.mod -f sgtest.fc
semodule -i sgtest.pp
semanage port -a -t my_port_t -p tcp 2002
安裝成功且規則似乎有效。
該連接埠肯定已安裝:
$ semanage port -l | grep my_port_t
my_port_t tcp 2002
但是,我無法刪除該模組:
$ semodule -r sgtest
libsemanage.semanage_direct_remove_key: Removing last sgtest module (no other sgtest module exists at another priority).
libsepol.context_from_record: type my_port_t is not defined (No such file or directory).
libsepol.context_from_record: could not create context structure (Invalid argument).
libsepol.port_from_record: could not create port structure for range 2002:2002 (tcp) (Invalid argument).
libsepol.sepol_port_modify: could not load port range 2002 - 2002 (tcp) (Invalid argument).
libsemanage.dbase_policydb_modify: could not modify record value (Invalid argument).
libsemanage.semanage_base_merge_components: could not merge local modifications into policy (Invalid argument).
semodule: Failed!
這是在 CentOS 7.4.1708 上。
我做錯了什麼?
答案1
我不明白這是如何工作的,也不明白它與錯誤訊息有何關係,但我發現如果我先刪除端口,我就可以擺脫這種情況:
semanage port -d -p tcp 2002
semodule -r sgtest