Using SELinux to force Linux to allow programs to bind to port numbers lower than 1024

Is there a way in SELinux to force linux to allow a program to be able to bind to a port number lower than 1024.

Solution 1:

Assuming you have a proper policy module for the application (let's call your app "foo") in place, you can do one of two things. You either define a foo_port_t type in the policy, allow you4 app access to it, like this:

allow foo_t foo_port_t:tcp_socket name_bind;

and the use something like this to label the actual port

semanage port -a -t foo_port_t -p tcp 803

This will claim TCP port 803 for your application. Most ports below 1023 already have labels on them though and you cannot label a port, file, whatever multiple times.

So option two: you can allow your app to bind to a port that has a different label, by putting lines like this into your policy module:

require { 
    type http_port_t;
}

allow foo_t http_port_t:tcp_socket name_bind;

This would allow you app to bind to any port that has http_port_t (meaning 80, 443, 488, 8008, 8009 and 8443). You can find what label the port (803 in this example) you want to use, has by this command:

semanage port -l | grep 803

Solution 2:

Run it as root or sudo it. You should only use root for testing, never in production. The kernel won't allow you to open a port below 1024 (well-known ports) without these permissions. It has nothing to do with SELinux but with the kernel.