On 4/15/14, drago01 <drago01@xxxxxxxxx> wrote: > On Tue, Apr 15, 2014 at 6:13 PM, Andrew Lutomirski <luto@xxxxxxx> wrote: [cut] >> I keep thinking that, if I had unlimited time, I'd write a totally >> different kind of firewall. It would allow some policy (userspace >> daemon or rules loaded into the kernel) to determine when programs can >> listen on what sockets and when connections can be accepted on those >> sockets. > > We could do that today by using selinux and confine all programs into > a domain that does not allow listing to any ports. > Those that have to should get labeled by a different type. > > We could go as far as do that for unconfined_t as well and have the > user chcon to a "allow_ports_prog_t" or something (and have a boolean > to shut it off for everything). > > But I am not sure this is less of a hassle then a firewall though. Agreed. Anyway, some users disable selinux because it get's in their way, exactly as the firewall. Would be interesting to have some idea of percentages for this (% disabled firewalls, %disabled selinux) out there, but I presume it's hopeless. Anyway, I get the feeling that the hunt for the "really proper" fix is not that fruitful here. OTOH, if you limit the goals to fulfill the basic statement to not let the default configuration of firewalld block the functionality of the default Workstations applications it should certainly be doable without writing a new firewall. Not the most elegant, ultimate solution, but something which solves the problem at hand. --a -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
