On Fri, Jul 24, 2009 at 16:55:23 -0400, Steve Grubb <sgrubb@xxxxxxxxxx> wrote: > > I don't think I explained it well. I was thinking what if you had this rule: > > -A INPUT -Z cups_t -j ACCEPT > > and then cups was compromised and started listening on port 80. Since the > above rule has no port restrictions and cups is allowed to accept connections, > would cups now be able to start serving web pages? I thought the idea was to label packets based on source and destination (including ports) not application. Applications would get access to the packets based on their context and the context (labels) of the packets. I may have misunderstood though. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list