Re: Lower Process Capabilities

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Jul 28, 2009 at 17:53:53 -0400,
  Bill McGonigle <bill@xxxxxxxxxxxxxxxx> wrote:
> 
> One simple alternative, sure to be unpopular with many, would be to
> patch the kernel to skip the low-numbered-port enforcement if SELinux is
> running in enforcing mode, and ship policies that do the right thing.
> Admins would have to purposely cripple their policies to make this
> insecure.

I think after the selinux involvement in the recent popularized kernel
exploit, that isn't going to happen. Having enforcing mode do things you
can't in permissive mode is dangerous. While xguest will probably stay,
I don't think you'll see too many other cases where selinux will give
you extra privileges.

-- 
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux