On Thu, 2006-03-09 at 23:44 +0100, Dawid Gajownik wrote: > I did not know that. I thought that policy blocks binding to any port > except ftp_port_t. (Yes, I did not read domains/program/ftpd.te :P ) > > Hmmm... would you be willing to explain me why ftpd is allowed to bind > to port_t? If it's done on purpose, why 1-1023 ports are so important > that they cannot be used without policy modification? It has been a while since I've looked at the specifics of that policy, but I suspect that ftpd wants to bind to arbitrary unreserved ports for data connections. Whereas you'd like to keep the reserved port space clean so that e.g. ftpd doesn't masquerade as some other well-known service. OTOH, if we are now keeping all well-defined port types defined in the base policy regardless of the set of policy modules included (which wasn't originally the case), then we might not need to concern ourselves with the reserved_port_t fallback. cc'd some other folks who may have an opinion. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
