Re: Networking and the firewall (Was Re: Isn't it time for the encrypted file system???)

[Daniel J Walsh <dwalsh@xxxxxxxxxx>]

David Zeuthen wrote:
> On Tue, 2006-03-28 at 09:51 +0200, Alexander Larsson wrote:
>   
> > I must say I'm slightly bothered by the "lets have the apps punch holes
> > in the firewall" approach. If any app can open holes in the firewall,
> > what use is the firewall then? It will only be protecting ports that no
> > application is listening too.
> >     
>
> Sure, of course, we need auth from the user (ask them to put in their
> own password or the root password [1]) to open the hole as Alan says.
> Just allowing any app to open arbitrary ports would be a security hole.
>
> We might need some fixes both kernel- and g-u-s-side too to make this
> work in a secure way; e.g. reuse same port number next time; only
> allow /usr/bin/httpd to bind to that port etc etc
>
> I must say.. I'm slightly annoyed by the fact that we put in a feature
> like g-u-s and just don't fix this and expect the user to Google his way
> out of this. We already know that the only way to fix this right now is
> to turn off the firewall. Not very cool. 
>
> Can someone please look at this for FC6? And at the same time make sure
> the Banshee and Rhythmbox's of the world can use this feature too? Maybe
> even push an API 
>
>     David
>
> [1] : the PolicyKit stuff I'm working on will make this much easier
> though it will require the firewall to export a system-level service to
> allow punching holes...
>
>   
Should also be wrapped in SELinux to make sure some random app does not 
ask for this.  If I am a user and NetworkManager pops a window saying 
somethine like
"In order to run correctly I need your computer to turn purple, and run 
the Hypervizor at Warp 3"  I am going to answer the question, "Yes"

So only apps with  a security policy should even be able to do this.
>   
> > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> >  Alexander Larsson                                            Red Hat, Inc 
> >                    alexl@xxxxxxxxxx    alla@xxxxxxxxxxxxxx 
> > He's a short-sighted amnesiac filmmaker from a doomed world. She's a 
> > supernatural hip-hop safe cracker fleeing from a Satanic cult. They fight 
> > crime! 
> >
> > --
> > Fedora-maintainers mailing list
> > Fedora-maintainers@xxxxxxxxxx
> > https://www.redhat.com/mailman/listinfo/fedora-maintainers
> >     
>
> --
> Fedora-maintainers mailing list
> Fedora-maintainers@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-maintainers
>