On Sat, 2005-12-17 at 07:53, Michael A. Peters wrote: > On Sat, 2005-12-17 at 07:41 -0500, Sean wrote: > > You don't want a static > > firewall rule for a process that is only running occasionally. No, what > > you want is an appropriate firewall rule set only for the time that BT is > > actually running. Anything else is a security risk in itself. Actually shouldn't the strict selinux policy cover this type of thing much better. Not only just while BT is running, but only BT the app can listen on that port range? > Oh I see what you are saying. > When trusted application foo is being run by user in trusted group bar > (or open for any user) - the firewall will open ports xxxx to yyyy > should foo request they be opened - for the duration that foo is > running. yes and that request should just be the bind(sockfd, my_addr, addrlen); The kernel should be able to decide to grant that request based on the information it has being a "trusted" app(selinux context label), run by trusted user(uid,gid,selinux domain). > > That would be slick. It would be slicker if only the BT app could use those ports and you didn't have to dynamically punch holes in the firewall. -- http://dmoz.org/profiles/pollei.html http://sourceforge.net/users/stephen_pollei/ http://www.orkut.com/Profile.aspx?uid=2455954990164098214 http://stephen_pollei.home.comcast.net/ http://www.biglumber.com/x/web?sn=Stephen+Pollei https://keyserver-beta.pgp.com/vkd/DownloadKey.event?keyid=0x910F6BB54A7D9677 GPG Key fingerprint = EF6F 1486 EC27 B5E7 E6E1 3C01 910F 6BB5 4A7D 9677
Attachment:
signature.asc
Description: This is a digitally signed message part
-- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
