On Fedora, how do I configure selinux to allow a port for a new undefined service type?
I have several things that I'd like to be able to stand up as servers on Fedora. I know I can run at least some of these in podman
or docker
but I already know how to do that. I also already know how to allow it for existing services like ssh
if all I want to do is use a custom port via:
sudo semanage port -a -t ssh_port_t -p tcp 2222
But my problem is that selinux already defines the ssh_port_t
type. What if I have some custom app that I can't or don't want to run in a container for some reason, how would I allow a port for something that does NOT have an already predefined type in semanage port --list
?
For this example, let's say I'm trying to run /path/myNiftyGameServer and want to allow it to connect on udp port 12345 (which is currently unused on my system). How can I do this?
Background-wise, I don't claim to be a guru but I feel relatively proficient with bash and Linux in general but am still very much a novice when it comes to SELinux (I know about labels, restorecon
, and some basic semanage
commands but am still learning).
Please assume that I am unwilling to simply disable SELinux (because I am). If this question seems unpractical, it is fine to make additional suggestions but I am asking mostly because I'm curious how this problem would be solved in SELinux and have not been able to find a solution on my own except for existing types like my ssh example above. Please feel free to suggest other relevant reading topics for SELinux newbies.
Edit: From additional searches and based on my finding a Starbound server on Centos and a Soldat Dedicated server policy, I'm guessing that maybe I need to learn how to write an SELinux policy? Crazy that I need that much when a service simply doesn't have a name but I still want to learn how to do it.
Edit 2: After getting some time to read thorough them, the Starbound link does not appear to be what I'm after; the only SELinux policy writing was for a separate Apache server (Apache is already defined) rather than for a game server. The Soldat one seems very close to what I'm after but I think I need a primer on policy writing to be able to get there. In particular, I am really only interested in how to open a port for a custom server / web service. Setting file path access sounds nice too but I can manage that with user accounts whereas even if I open a network port in firewall-cmd (firewalld), it will still be blocked by SELinux if I'm not mistaken (I know I had this issue in the past but I suppose I could retest to be sure).
A key thing to understand here is that the default SELinux policy is targeted. That is, it only constrains known things. Long, long ago we tried the other approach (block everything that isn't allowed by policy), and so much stuff broke all of the time that everyone turned it off.
So, your myNiftyGameServer
is going to be running in an unconfined domain anyway by default — if you want to tighten it down, you'll need to either run it in a container or write a specific policy.
That's why you're not finding an easy way to just add a random port type ... it wouldn't be very useful.
There's a decent quick guide for creating a custom policy for a daemon in the RHEL 8 Docs