diff mbox series

[SELinux-notebook] network_support.md: clarify local port range and name_bind

Message ID 20220523070652.81984-1-dominick.grift@defensec.nl (mailing list archive)
State Changes Requested
Delegated to: Paul Moore
Headers show
Series [SELinux-notebook] network_support.md: clarify local port range and name_bind | expand

Commit Message

Dominick Grift May 23, 2022, 7:06 a.m. UTC 
Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
---
 src/network_support.md | 11 +++++++++++
 1 file changed, 11 insertions(+)
diff mbox series

Patch

diff --git a/src/network_support.md b/src/network_support.md
index bec725e..05ec0e8 100644
--- a/src/network_support.md
+++ b/src/network_support.md
@@ -668,6 +668,17 @@  statements):
 semanage port -a -t my_server_port_t -p tcp -r s0 12345
 ```
 
+Ports in the local port range can be auto-assigned by the kernel to
+unbound sockets on first use. Controlling binding to ports is only
+useful when the port number is a "name" (i.e. a well-defined value that
+is expected to correspond to a specific service).
+
+The *name_bind* operation is not controlled on sockets associated
+with ports in the local port range:
+```
+sysctl net.ipv4.ip_local_port_range
+```
+
 ## Labeled Network FileSystem (NFS)
 
 Version 4.2 of NFS supports labeling between client/server and requires