SELinux port "defined in policy, cannot be deleted"

I am not satisfied with the answer to this question:

$> sudo semanage port -d -p tcp -t foo...
ValueError: Port foo is defined in policy, cannot be deleted

The accepted answer is

The SELinux policy includes definitions for ports ... There is no need to remove them.

No need to remove them. Okay, but I want to remove them anyway -- I want the SELinux availability of the port to match the actual availability of the port, just for consistency's sake.

How to I semanage port -d for ports defined in the policy? (In my case, ssh.)


Your option would be to build your own policy module for SSH, removing the part were the port is labelled.

Since you can now load policy modules specifying a priority, your custom module will have a higher precedence. Check the -X,--priority=PRIORITY flag in the semodule manual page for the details.

For the record, I concur with Michael Hampton in that there's no need to remove the port from the policy. It does not increase the security of the system at all, as there are multiple ways to either increase or relax the security (as in SELinux related) management of the SSH server, namely: delete the OpenSSH server to begin with, label the traffic, or, in the other direction, put the SSH server in a permissive domain.