In trying to segment networking into two domains I seem to have overlooked that name_bind doesn't get enforced for ports within the machine's local port range (i.e. ports assigned by the kernel). I suppose I could try to hack the LSM selinux_socket_bind hook to enforce name_bind for all ports; would that be possible? I'd rather not, though, since I've never ventured deeper than SELinux policy, and delving into the mechanism scares me. Is it possible to somehow implement a boolean that would toggle whether name_bind was enforced for all ports or just for ports outside the local port range? Thanks, - Steve Brueckner, ATC-NY -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
