My app binds to a random port prior to connecting to a well known port.
If the random port is in use (errno == EADDRINUSE) the port number is incremented and a
new bind is attempted.
SELinux port labeling was causing errno==EACCES for ports that are under SELinux control.
I found corenet_tcp_bind_all_ports() which fixed the problem - because now, my app is
allowed to use those ports.
Dan Walsh suggested corenet_tcp_bind_generic_port() instead - so my app doesn't use
the ports managed by SELinux for other apps. So I changed my code to also increment the
port and re-attempt a bind when errno==EACCES.
I find that some non-SELinux controlled ports are also causing EACCES (but only in
enforcing mode)... and EACCES is a problem I've never run into before on non-SELinux
boxes... so I believe that SELinux is somehow preventing access to the un-controlled
ports.
Each of the ports listed below, the PRIOR port has an SELinux type shown by 'semanage
port -l', yet these ports also get the EACCES error:
1702
2607
3261
3552
4691
5433
5704
6021
7001
8022
8119
8291
8293
9011
9223
9283
9293
9434
9702
13446
16002
Show replies by date
Oops... I was not resetting errno in the loop.
Thanks,
Brian
-----Original Message-----
From: Brian Ginn
Sent: Tuesday, May 26, 2009 3:59 PM
To: 'fedora-selinux-list(a)redhat.com'
Subject: ports under SELinux on RHEL-5.3
My app binds to a random port prior to connecting to a well known port.
If the random port is in use (errno == EADDRINUSE) the port number is incremented and a
new bind is attempted.
SELinux port labeling was causing errno==EACCES for ports that are under SELinux control.
I found corenet_tcp_bind_all_ports() which fixed the problem - because now, my app is
allowed to use those ports.
Dan Walsh suggested corenet_tcp_bind_generic_port() instead - so my app doesn't use
the ports managed by SELinux for other apps. So I changed my code to also increment the
port and re-attempt a bind when errno==EACCES.
I find that some non-SELinux controlled ports are also causing EACCES (but only in
enforcing mode)... and EACCES is a problem I've never run into before on non-SELinux
boxes... so I believe that SELinux is somehow preventing access to the un-controlled
ports.
Each of the ports listed below, the PRIOR port has an SELinux type shown by 'semanage
port -l', yet these ports also get the EACCES error:
1702
2607
3261
3552
4691
5433
5704
6021
7001
8022
8119
8291
8293
9011
9223
9283
9293
9434
9702
13446
16002