My apologies for not replying directly to the original posting, for some reason this never hit my inbox. From: Dominick Grift @ 2022-05-23 > diff --git a/src/network_support.md b/src/network_support.md > index bec725e..05ec0e8 100644 > --- a/src/network_support.md > +++ b/src/network_support.md > @@ -668,6 +668,17 @@ statements): > semanage port -a -t my_server_port_t -p tcp -r s0 12345 > ``` > > +Ports in the local port range can be auto-assigned by the kernel to > +unbound sockets on first use. Controlling binding to ports is only > +useful when the port number is a "name" (i.e. a well-defined value that > +is expected to correspond to a specific service). > + > +The *name_bind* operation is not controlled on sockets associated > +with ports in the local port range: > +``` > +sysctl net.ipv4.ip_local_port_range > +``` > + Despite the sysctl name, these ports are typically referred to as "ephemeral ports" and not "local ports". I would suggest the text below as an alternate solution, what do you think? Only ports that fall outside the local, or ephemeral, port range are subject to the additional *name_bind* access check. You can see the current ephemeral port range on your system by checking the *net.ipv4.ip_local_port_range* sysctl: ``` sysctl net.ipv4.ip_local_port_range ``` -- paul-moore.com
