allow a application on port UDP/162 as non root
Trevor Hemsley
trevor.hemsley at codefarm.com
Thu Aug 6 14:58:49 UTC 2009
Matthew Galgoci wrote:
>> Date: Thu, 6 Aug 2009 16:44:44 +0200 (CEST)
>> From: Patrick Lambooy <p.lambooy at narmida.com>
>> To: redhat-sysadmin-list at redhat.com
>> Subject: allow a application on port UDP/162 as non root
>>
>> Hello,
>>
>> I need some Selinux help
>>
>> The problem is :
>> The application starts its own listening snmp trap app on port UDP/162
>>
>> What i want is to allow a user (not root) to start the application(java)
>> and let it bind to the port UDP/162.
>>
>> The original snmptrapd is deactivated so no problem here
>>
>> The problem is port 1 till 1024 can only used by root
>>
>> The only way to do this is to completely deactivate this part of security
>> which i realy dont like, very nasty.
>>
>> Is there a way with selinux to do this.
>> Please explain in details because i'm still partly a selinux n00b
>> sry
>>
>> The alternative is to let the app run in root which isnt going to happen :-)
>>
>> I realy hope somebody knows how and if this can be done with selinux after
>> 1 day searching and testing i'm a bit stuk
>> Other suggestions are also welcome
>>
>
> This isn't a selinux issue. By default non-root processes cannot bind to
> ports less than 1024. I'm not sure if there is a clean way around this.
>
iptables redirect port UDP port 162 to, say, 1162.
-A PREROUTING -d 192.168.1.1 -p udp -m udp --dport 162 -j REDIRECT
--to-ports 1162
--
Trevor Hemsley
Infrastructure Engineer
.................................................
* C A L Y P S O
* Brighton, UK
OFFICE +44 (0) 1273 666 350
FAX +44 (0) 1273 666 351
.................................................
www.calypso.com
This electronic-mail might contain confidential information intended
only for the use by the entity named. If the reader of this message is
not the intended recipient, the reader is hereby notified that any
dissemination, distribution or copying is strictly prohibited.
* P * /*/ Please consider the environment before printing this e-mail /*/
More information about the redhat-sysadmin-list
mailing list