On 07/28/2009 04:11 PM, Chris Adams wrote: > AFAIK SELinux introduces additional controls and does not replace or > override existing controls. I'm pretty sure non-root still can't > directly listen on a low-numbered port. For some reason I thought it was possible with MAC, but I can't find anything to support that. I might have been thinking of Solaris privileges. One simple alternative, sure to be unpopular with many, would be to patch the kernel to skip the low-numbered-port enforcement if SELinux is running in enforcing mode, and ship policies that do the right thing. Admins would have to purposely cripple their policies to make this insecure. However, init scripts would all have to become selinux savvy and know how to launch with the old model, which may be too tall an order. It also makes permissive mode more treacherous. Still, is such a change less severe than changing what root means? Is Fedora that committed to SELinux? What's it going to take to make most people who shut off SELinux stop doing that? -Bill -- Bill McGonigle, Owner Work: 603.448.4440 BFC Computing, LLC Home: 603.448.1668 http://www.bfccomputing.com/ Cell: 603.252.2606 Twitter, etc.: bill_mcgonigle Page: 603.442.1833 Email, IM, VOIP: bill@xxxxxxxxxxxxxxxx Blog: http://blog.bfccomputing.com/ VCard: http://bfccomputing.com/vcard/bill.vcf -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
