My app binds to a random port prior to connecting to a well known port. If the random port is in use (errno == EADDRINUSE) the port number is incremented and a new bind is attempted.
SELinux port labeling was causing errno==EACCES for ports that are under SELinux control. I found corenet_tcp_bind_all_ports() which fixed the problem - because now, my app is allowed to use those ports.
Dan Walsh suggested corenet_tcp_bind_generic_port() instead - so my app doesn't use the ports managed by SELinux for other apps. So I changed my code to also increment the port and re-attempt a bind when errno==EACCES.
I find that some non-SELinux controlled ports are also causing EACCES (but only in enforcing mode)... and EACCES is a problem I've never run into before on non-SELinux boxes... so I believe that SELinux is somehow preventing access to the un-controlled ports.
Each of the ports listed below, the PRIOR port has an SELinux type shown by 'semanage port -l', yet these ports also get the EACCES error:
1702 2607 3261 3552 4691 5433 5704 6021 7001 8022 8119 8291 8293 9011 9223 9283 9293 9434 9702 13446 16002
Oops... I was not resetting errno in the loop.
Thanks, Brian
-----Original Message----- From: Brian Ginn Sent: Tuesday, May 26, 2009 3:59 PM To: 'fedora-selinux-list@redhat.com' Subject: ports under SELinux on RHEL-5.3
My app binds to a random port prior to connecting to a well known port. If the random port is in use (errno == EADDRINUSE) the port number is incremented and a new bind is attempted.
SELinux port labeling was causing errno==EACCES for ports that are under SELinux control. I found corenet_tcp_bind_all_ports() which fixed the problem - because now, my app is allowed to use those ports.
Dan Walsh suggested corenet_tcp_bind_generic_port() instead - so my app doesn't use the ports managed by SELinux for other apps. So I changed my code to also increment the port and re-attempt a bind when errno==EACCES.
I find that some non-SELinux controlled ports are also causing EACCES (but only in enforcing mode)... and EACCES is a problem I've never run into before on non-SELinux boxes... so I believe that SELinux is somehow preventing access to the un-controlled ports.
Each of the ports listed below, the PRIOR port has an SELinux type shown by 'semanage port -l', yet these ports also get the EACCES error:
1702 2607 3261 3552 4691 5433 5704 6021 7001 8022 8119 8291 8293 9011 9223 9283 9293 9434 9702 13446 16002
selinux@lists.fedoraproject.org