On Sat, 2005-12-17 at 12:12, Callum Lerwick wrote: > Actually, when you're talking about processes on the local machine, > firewall rules are a totally hackish way of going about this. Actually it's having to dynamically alter your policy, because of the weakness of it's expression that is hacky. Between selinux and netfilter you should be able to precisely state your policy. The only thing is his UPnP nternet Gateway Device (IGD) controller via Dbus should be a userland process and this deputy should be able to inspect the selinux domain of the requesting process and based it's decisions on that as well. > What you want to do, is have some kind of local ACL that says what > processes and users can bind to what ports. > Can selinux do this? If not, it should. In theory yes, of course some people are disabling even the targeted policy and the strict policy might not yet be ready for primetime. You'd need the strict policy if you don't want most user's processes running as unconfined_t . How is the work on getting strict policy working well going anyway? http://www.netfilter.org/ http://www.nsa.gov/selinux/ http://selinux.sourceforge.net/ http://www.knoxscape.com/Upnp/NAT.htm http://www.microsoft.com/technet/prodtechnol/winxppro/support/upnp01.mspx http://en.wikipedia.org/wiki/Internet_Gateway_Device http://www.upnp.org/standardizeddcps/igd.asp -- http://dmoz.org/profiles/pollei.html http://sourceforge.net/users/stephen_pollei/ http://www.orkut.com/Profile.aspx?uid=2455954990164098214 http://stephen_pollei.home.comcast.net/ http://www.biglumber.com/x/web?sn=Stephen+Pollei https://keyserver-beta.pgp.com/vkd/DownloadKey.event?keyid=0x910F6BB54A7D9677 GPG Key fingerprint = EF6F 1486 EC27 B5E7 E6E1 3C01 910F 6BB5 4A7D 9677
Attachment:
signature.asc
Description: This is a digitally signed message part
-- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
