allow a application on port UDP/162 as non root
Chris Adams
cmadams at hiwaay.net
Thu Aug 6 18:55:35 UTC 2009
Once upon a time, Patrick Lambooy <p.lambooy at narmida.com> said:
> As i can tell from the docs it could be possible to tell selinux to
> allow this port UDP 162 to bind to java without comprimising the
> security.
No, SELinux cannot do that. SELinux can only put additional limits on
the already-existing permissions; it cannot grant permissions you
wouldn't otherwise have.
The only solutions are:
- run it as root
- use iptables to map 162 to a higher number port and configure or
modify the app to listen on a different port (as far as the network is
concerned, it would still be port 162)
- use a helper program to open the port and give it to the app (don't
know if this will work with Java though; does it support FD passing?)
--
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
More information about the redhat-sysadmin-list
mailing list