On Tue, Jul 28, 2009 at 17:53:53 -0400, Bill McGonigle <bill@xxxxxxxxxxxxxxxx> wrote: > > One simple alternative, sure to be unpopular with many, would be to > patch the kernel to skip the low-numbered-port enforcement if SELinux is > running in enforcing mode, and ship policies that do the right thing. > Admins would have to purposely cripple their policies to make this > insecure. I think after the selinux involvement in the recent popularized kernel exploit, that isn't going to happen. Having enforcing mode do things you can't in permissive mode is dangerous. While xguest will probably stay, I don't think you'll see too many other cases where selinux will give you extra privileges. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
