allow a application on port UDP/162 as non root

Patrick Lambooy p.lambooy at narmida.com
Thu Aug 6 17:40:48 UTC 2009 

The app is Java which is 800 MB
to sudo the whole java app isnt a very good idea :-(

To the IPtables option the problem is the Java app cant be on any  
other port then 162 otherwise i would made it like you suggested right  
away this was my first thought also.

There is a way thru the kernel to turn all port priv. 1 to 1024 off  
but this isnt what you want.
As i can tell from the docs it could be possible to tell selinux to  
allow this port UDP 162 to bind to java without comprimising the  
security.

The problem is how can this be done.






On Aug 6, 2009, at 5:02 PM, sun.jedi wrote:

> Have you looked at sudo to start the app?
>
> -Marc
>
> On 8/6/2009 10:53 AM, Matthew Galgoci wrote:
>>> Date: Thu, 6 Aug 2009 16:44:44 +0200 (CEST)
>>> From: Patrick Lambooy <p.lambooy at narmida.com>
>>> To: redhat-sysadmin-list at redhat.com
>>> Subject: allow a application on port UDP/162 as non root
>>>
>>> Hello,
>>>
>>> I need some Selinux help
>>>
>>> The problem is :
>>> The application starts its own listening snmp trap app on port UDP/ 
>>> 162
>>>
>>> What i want is to allow a user (not root) to start the  
>>> application(java)
>>> and let it bind to the port UDP/162.
>>>
>>> The original snmptrapd is deactivated so no problem here
>>>
>>> The problem is port 1 till 1024 can only used by root
>>>
>>> The only way to do this is to completely deactivate this part of  
>>> security
>>> which i realy dont like, very nasty.
>>>
>>> Is there a way with selinux to do this.
>>> Please explain in details because i'm still partly a selinux n00b
>>> sry
>>>
>>> The alternative is to let the app run in root which isnt going to  
>>> happen :-)
>>>
>>> I realy hope somebody knows how and if this can be done with  
>>> selinux after
>>> 1 day searching and testing i'm a bit stuk
>>> Other suggestions are also welcome
>>>
>>
>> This isn't a selinux issue. By default non-root processes cannot  
>> bind to
>> ports less than 1024. I'm not sure if there is a clean way around  
>> this.
>>
>>
>
> --
> redhat-sysadmin-list mailing list
> redhat-sysadmin-list at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-sysadmin-list
>

More information about the redhat-sysadmin-list mailing list