CentOS - semanage - Delete range of ports

15,933

Well that was impressive, you made me go to source code to find an answer. You did stumble across the proper way to define a range with your first try: two numbers must be separated by a hyphen.

What's hanging you up is this:

(rc, exists) = semanage_port_exists(self.sh, k)
if rc < 0:
    raise ValueError(_("Could not check if port %s/%s is defined") % (proto, port))
if not exists:
    raise ValueError(_("Port %s/%s is not defined") % (proto, port))

If you specify a range of ports when adding a rule, you must specify the same range of ports when deleting a rule. For example:

sudo semanage port -l | grep ^http_port_t
http_port_t                    tcp      80, 443, 488, 8008, 8009, 8443

To delete those, you must call delete once for each port or port range between the commas. They can't be a contiguous range because they weren't defined that way.

Conversely, with this example:

mysqld_port_t                  tcp      1186, 3306, 63132-63163

You can't individually delete 63132 or 63133. You must specify that exact range.

Example of adding and deleting a range:

semanage port --add -t http_port_t -p tcp 8899-8902
semanage port --delete -t http_port_t -p tcp 8899-8902
Share:
15,933

Related videos on Youtube

Mike Purcell
Author by

Mike Purcell

We are working on the next big social media project. If you are interested in the project drop me a line @ [email protected].

Updated on September 18, 2022

Comments

  • Mike Purcell
    Mike Purcell over 1 year

    Surprisingly, could not find any clear information on how to delete a range of ports by way of semanage port. Here is a list of permutations I tried:

    semanage port -d -t http_port_t -p tcp 0-60000
    semanage port -d -t http_port_t -p tcp [1-60000]
    semanage port -d -t http_port_t -p tcp 1,60000
    semanage port -d -t http_port_t -p tcp 1-60000
    semanage port -d -t http_port_t -p tcp 1 60000
    semanage port -d -t http_port_t -p tcp 1,60000
    semanage port -d -t http_port_t -p tcp <60000
    semanage port -d -t http_port_t -p tcp '1-60000'
    semanage port -d -t http_port_t -p tcp '1,60000'
    semanage port -d -t http_port_t -p tcp 1000-10000
    

    The help message wasn't clear on how to indicate a range:

    root@service1 /etc/yum/pluginconf.d # -> semanage -h
    /usr/sbin/semanage: 
    semanage [ -S store ] -i [ input_file | - ]
    semanage [ -S store ] -o [ output_file | - ]
    
    semanage login -{a|d|m|l|D|E} [-nrs] login_name | %groupname
    semanage user -{a|d|m|l|D|E} [-LnrRP] selinux_name
    semanage port -{a|d|m|l|D|E} [-nrt] [ -p proto ] port | port_range
    
  • Mike Purcell
    Mike Purcell over 11 years
    Wow that seems odd. I would think we could just set a contiguous range and it would delete all ports contained therein. In the interim I passed -D which resets the port to default ports. Seems to me that these assignments should be only for ports you want, and not all these default ports. Thanks for the followup, much appreciated.
  • loislo
    loislo over 11 years
    @MikePurcell Yeah, it's a bit frustrating. What happens is everything specify turns into a key. Thus, resulting key for any operation must be the same key as was used for the add. Blame it on the underlying kernel API.