Cong Wang wrote: > Oh, IIUC, TOMOYO is something like SELinux? Yes. It is a policy based mandatory access control implementation which is applied to not only non root users but also root user. If MAC is enabled, root user cannot freely modify via sysctl() or /proc/sys interface. > So, it is somewhat weird to let users to use TOMOYO to reserve > the ports with MAC. To add reserved port echo deny_autobind 0-1023 | ccs-loadpolicy -e echo deny_autobind 3128 | ccs-loadpolicy -e echo deny_autobind 8080 | ccs-loadpolicy -e and to delete reserved port echo delete deny_autobind 0-1023 | ccs-loadpolicy -e echo delete deny_autobind 3128 | ccs-loadpolicy -e echo delete deny_autobind 8080 | ccs-loadpolicy -e That's all. Quite easy. > For normal users /proc interface seems more friendly. I think /proc/sys/net/ipv4/ip_local_reserved_ports interface wants "struct list_head" for handling multiple sets of min/max pairs. I'm using http://tomoyo.sourceforge.jp/cgi-bin/lxr/source/security/ccsecurity/autobind.c#L29 for that purpose. -- To unsubscribe from this list: send the line "unsubscribe linux-sctp" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
