On 07/24/2009 04:44 PM, Steve Grubb wrote: > On Friday 24 July 2009 03:47:51 pm Casey Dahlin wrote: >> A couple of mentions of SELinux have cropped up in the FireKit thread, >> which got me thinking about the Firewall and SELinux and ways in which they >> are similar. I had the following thought: >> >> SELinux already has a lot of policy information from which we might like to >> determine whether ports should be open to a particular program. > > Just because selinux has policy doesn't mean the app is installed. > If the app is not installed nothing is running in its context, so none of the rules will ever trigger. > >> The simplest mechanism I can see for doing that is to allow SELinux context >> to be referenced in the firewall rules. This prevents either system from >> having to be grotesquely modified. >> >> An example rule might look like this: >> >> -A INPUT -Z apache_t -j ACCEPT >> >> Here we tell the firewall to allow incoming traffic that will be >> intercepted in userspace by a process in the apache_t context. > > I don't like this. Its not tying to any port. For example, suppose there is a > vulnerability in cups and apache is not running, the cups app could start > listening on other ports and the rule would allow connections. > Only if cups were running in the apache_t context. You seem to not quite be getting what I'm saying. What is it you expect that rule /does/ accomplish if not prevent the situation you describe? --CJD -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
