Paul Moore <paul@xxxxxxxxxxxxxx> writes: > My apologies for not replying directly to the original posting, for > some reason this never hit my inbox. No problem > > From: Dominick Grift @ 2022-05-23 >> diff --git a/src/network_support.md b/src/network_support.md >> index bec725e..05ec0e8 100644 >> --- a/src/network_support.md >> +++ b/src/network_support.md >> @@ -668,6 +668,17 @@ statements): >> semanage port -a -t my_server_port_t -p tcp -r s0 12345 >> ``` >> >> +Ports in the local port range can be auto-assigned by the kernel to >> +unbound sockets on first use. Controlling binding to ports is only >> +useful when the port number is a "name" (i.e. a well-defined value that >> +is expected to correspond to a specific service). >> + >> +The *name_bind* operation is not controlled on sockets associated >> +with ports in the local port range: >> +``` >> +sysctl net.ipv4.ip_local_port_range >> +``` >> + > > Despite the sysctl name, these ports are typically referred to as > "ephemeral ports" and not "local ports". I would suggest the text > below as an alternate solution, what do you think? > > Only ports that fall outside the local, or ephemeral, port range are > subject to the additional *name_bind* access check. You can see the > current ephemeral port range on your system by checking the > *net.ipv4.ip_local_port_range* sysctl: > ``` > sysctl net.ipv4.ip_local_port_range > ``` Yes, looks good I will post a V2 tomorrow. Thanks -- gpg --locate-keys dominick.grift@xxxxxxxxxxx Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 Dominick Grift
