Re: Lower Process Capabilities

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 07/28/2009 04:11 PM, Chris Adams wrote:
> AFAIK SELinux introduces additional controls and does not replace or
> override existing controls.  I'm pretty sure non-root still can't
> directly listen on a low-numbered port.

For some reason I thought it was possible with MAC, but I can't find
anything to support that.  I might have been thinking of Solaris privileges.

One simple alternative, sure to be unpopular with many, would be to
patch the kernel to skip the low-numbered-port enforcement if SELinux is
running in enforcing mode, and ship policies that do the right thing.
Admins would have to purposely cripple their policies to make this
insecure.

However, init scripts would all have to become selinux savvy and know
how to launch with the old model, which may be too tall an order.  It
also makes permissive mode more treacherous.

Still, is such a change less severe than changing what root means?  Is
Fedora that committed to SELinux?  What's it going to take to make most
people who shut off SELinux stop doing that?

-Bill

-- 
Bill McGonigle, Owner           Work: 603.448.4440
BFC Computing, LLC              Home: 603.448.1668
http://www.bfccomputing.com/    Cell: 603.252.2606
Twitter, etc.: bill_mcgonigle   Page: 603.442.1833
Email, IM, VOIP: bill@xxxxxxxxxxxxxxxx
Blog: http://blog.bfccomputing.com/
VCard: http://bfccomputing.com/vcard/bill.vcf

-- 
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux