I have installed Centos 6.4 - 64 bits and I have disabled SELinux. I attempted to add a new tcp port so that httpd can connect using this command and it fails:
[root@localhost selinux]# semanage port -a -t http_port_t -p tcp 8409
SELinux: Could not downgrade policy file /etc/selinux/targeted/policy/policy.24, searching for an older version.
SELinux: Could not open policy file <= /etc/selinux/targeted/policy/policy.24: No such file or directory
libsemanage.semanage_reload_policy: load_policy returned error code 2.
SELinux: Could not downgrade policy file /etc/selinux/targeted/policy/policy.24, searching for an older version.
SELinux: Could not open policy file <= /etc/selinux/targeted/policy/policy.24: No such file or directory
libsemanage.semanage_reload_policy: load_policy returned error code 2.
/usr/sbin/semanage: Could not commit semanage transaction
According to this redhat bug report: https://bugzilla.redhat.com/show_bug.cgi?id=918912
the issue has been fixed by upgrading selinux policy package and upgrading to these versions
selinux-policy-targeted-3.7.19-195.el6_4.3.noarch
selinux-policy-3.7.19-195.el6_4.3.noarchodules :
This link also states that the fix was released on March 13, 2013
http://blog.gluster.org/category/selinux/
Is the fix stated in the redhat bug report available for Centos 6.4 - 64 bits?
Can you please let me know how I can access and install this fix?
I attempted to update selinux policy packages but yum is not finding any new updates.
selinux error Could not downgrade policy file
Re: selinux error Could not downgrade policy file
CentOS 6.4 is two years old and unsupported. Current release is 6.6 and you are advised to use that as it fixes several security vulnerabilities.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: selinux error Could not downgrade policy file
Why would you be doing this if you've disabled SELinux? If you've not loaded policy during boot, you can't edit it.samt wrote:I have installed Centos 6.4 - 64 bits and I have disabled SELinux. I attempted to add a new tcp port so that httpd can connect using this command and it fails:
[root@localhost selinux]# semanage port -a -t http_port_t -p tcp 8409
-- Jeremy --
Re: selinux error Could not downgrade policy file
The machine is heavily used all the time and upgrading to 6.6 can not be done at this point in time. I was hoping that I could apply a package upgrade to go around this bug without resorting to upgrades and reboots.
For the benefit of those who may run into this problem, the only workaround that I have found so far but have not attempted is to enable Selinux, add all the necessary ports for httpd connection and then disable Selinux again. My understanding is that this process has inherent risks and I found this article from redhat that discusses the issues surrounding enabling SElinux again.
http://docs.fedoraproject.org/en-US/Fed ... Linux.html
Thanks for the responses and if anyone else knows any workarounds please post.
For the benefit of those who may run into this problem, the only workaround that I have found so far but have not attempted is to enable Selinux, add all the necessary ports for httpd connection and then disable Selinux again. My understanding is that this process has inherent risks and I found this article from redhat that discusses the issues surrounding enabling SElinux again.
http://docs.fedoraproject.org/en-US/Fed ... Linux.html
Thanks for the responses and if anyone else knows any workarounds please post.
Re: selinux error Could not downgrade policy file
If SELinux was disabled, you didn't need to tell the policy about the new port. This is not a bug. You're trying to take an action that modifies an SELinux policy that isn't loaded. You're doing something that's completely unnecessary.
Have apache open whatever ports that you need with a "Listen" statement in your configuration file. SELinux is irrelevant if you've disabled it.
If you're going to reenable SELinux, take the time to do things the right way and leave it enabled.
Have apache open whatever ports that you need with a "Listen" statement in your configuration file. SELinux is irrelevant if you've disabled it.
If you're going to reenable SELinux, take the time to do things the right way and leave it enabled.
-- Jeremy --