CentOS - semanage - Delete range of ports
Well that was impressive, you made me go to source code to find an answer. You did stumble across the proper way to define a range with your first try: two numbers must be separated by a hyphen.
What's hanging you up is this:
(rc, exists) = semanage_port_exists(self.sh, k)
if rc < 0:
raise ValueError(_("Could not check if port %s/%s is defined") % (proto, port))
if not exists:
raise ValueError(_("Port %s/%s is not defined") % (proto, port))
If you specify a range of ports when adding a rule, you must specify the same range of ports when deleting a rule. For example:
sudo semanage port -l | grep ^http_port_t
http_port_t tcp 80, 443, 488, 8008, 8009, 8443
To delete those, you must call delete once for each port or port range between the commas. They can't be a contiguous range because they weren't defined that way.
Conversely, with this example:
mysqld_port_t tcp 1186, 3306, 63132-63163
You can't individually delete 63132 or 63133. You must specify that exact range.
Example of adding and deleting a range:
semanage port --add -t http_port_t -p tcp 8899-8902
semanage port --delete -t http_port_t -p tcp 8899-8902
Related videos on Youtube
Mike Purcell
We are working on the next big social media project. If you are interested in the project drop me a line @ [email protected].
Updated on September 18, 2022Comments
-
Mike Purcell over 1 year
Surprisingly, could not find any clear information on how to delete a range of ports by way of
semanage port
. Here is a list of permutations I tried:semanage port -d -t http_port_t -p tcp 0-60000 semanage port -d -t http_port_t -p tcp [1-60000] semanage port -d -t http_port_t -p tcp 1,60000 semanage port -d -t http_port_t -p tcp 1-60000 semanage port -d -t http_port_t -p tcp 1 60000 semanage port -d -t http_port_t -p tcp 1,60000 semanage port -d -t http_port_t -p tcp <60000 semanage port -d -t http_port_t -p tcp '1-60000' semanage port -d -t http_port_t -p tcp '1,60000' semanage port -d -t http_port_t -p tcp 1000-10000
The help message wasn't clear on how to indicate a range:
root@service1 /etc/yum/pluginconf.d # -> semanage -h /usr/sbin/semanage: semanage [ -S store ] -i [ input_file | - ] semanage [ -S store ] -o [ output_file | - ] semanage login -{a|d|m|l|D|E} [-nrs] login_name | %groupname semanage user -{a|d|m|l|D|E} [-LnrRP] selinux_name semanage port -{a|d|m|l|D|E} [-nrt] [ -p proto ] port | port_range
-
Mike Purcell over 11 yearsWow that seems odd. I would think we could just set a contiguous range and it would delete all ports contained therein. In the interim I passed
-D
which resets the port to default ports. Seems to me that these assignments should be only for ports you want, and not all these default ports. Thanks for the followup, much appreciated. -
loislo over 11 years@MikePurcell Yeah, it's a bit frustrating. What happens is everything specify turns into a key. Thus, resulting key for any operation must be the same key as was used for the add. Blame it on the underlying kernel API.