Using SELinux to force Linux to allow programs to bind to port numbers lower than 1024
Is there a way in SELinux to force linux to allow a program to be able to bind to a port number lower than 1024.
Solution 1:
Assuming you have a proper policy module for the application (let's call your app "foo") in place, you can do one of two things. You either define a foo_port_t
type in the policy, allow you4 app access to it, like this:
allow foo_t foo_port_t:tcp_socket name_bind;
and the use something like this to label the actual port
semanage port -a -t foo_port_t -p tcp 803
This will claim TCP port 803 for your application. Most ports below 1023 already have labels on them though and you cannot label a port, file, whatever multiple times.
So option two: you can allow your app to bind to a port that has a different label, by putting lines like this into your policy module:
require {
type http_port_t;
}
allow foo_t http_port_t:tcp_socket name_bind;
This would allow you app to bind to any port that has http_port_t
(meaning 80, 443, 488, 8008, 8009 and 8443). You can find what label the port (803 in this example) you want to use, has by this command:
semanage port -l | grep 803
Solution 2:
Run it as root or sudo
it. You should only use root for testing, never in production. The kernel won't allow you to open a port below 1024 (well-known ports) without these permissions. It has nothing to do with SELinux but with the kernel.