On Thu, 2005-04-28 at 12:32 -0400, Steve Brueckner wrote: > In trying to segment networking into two domains I seem to have overlooked > that name_bind doesn't get enforced for ports within the machine's local > port range (i.e. ports assigned by the kernel). I suppose I could try to > hack the LSM selinux_socket_bind hook to enforce name_bind for all ports; > would that be possible? I'd rather not, though, since I've never ventured > deeper than SELinux policy, and delving into the mechanism scares me. Is it > possible to somehow implement a boolean that would toggle whether name_bind > was enforced for all ports or just for ports outside the local port range? That hook is only applied for explicit bind(2) calls by applications. auto-binding of unbound sockets by the kernel (e.g. when sending on an unbound socket) will never hit that hook at all. You would need to modify udp_v4_get_port and tcp_v4_get_port to check permission and keep scanning for another available port until one is allowed. Not likely to make much headway upstream. -- Stephen Smalley <sds@xxxxxxxxxxxxx> National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list