allow a application on port UDP/162 as non root

[Jonathan Billings]

On Thu, Aug 06, 2009 at 07:40:48PM +0200, Patrick Lambooy wrote:
> The app is Java which is 800 MB
> to sudo the whole java app isnt a very good idea :-(
> 
> To the IPtables option the problem is the Java app cant be on any
> other port then 162 otherwise i would made it like you suggested
> right away this was my first thought also.
> 
> There is a way thru the kernel to turn all port priv. 1 to 1024 off
> but this isnt what you want.
> As i can tell from the docs it could be possible to tell selinux to
> allow this port UDP 162 to bind to java without comprimising the
> security.
> 
> The problem is how can this be done.

Even if you had the java program labeled and an SELinux policy that
allowed it to listen on port 162, I believe you'd still run into the
limitation that non-root users can't listen on ports 1-1024.  I don't
believe that SELinux has a tunnel through that kernel setting.

The fact that this program has no ability to change from port 162
makes me think that either it was intended to run as root or it was
written for another OS that didn't have non-root port listening
limitations.  (Or, perhaps it was written by someone ignorant of unix
and linux.)

-- 
Jonathan Billings <jonathan.billings at umich.edu>