On Fri, Jan 09, 2015 at 04:52:18PM -0500, Stephen Smalley wrote: > Ports in the local port range can be auto-assigned by the kernel to > unbound sockets on first use. So it makes no sense to control them, > and there isn't even an LSM hook in the place where such auto-port > selection occurs. Controlling binding to ports is only useful when > the port number is a "name" (i.e. a well-defined value that is > expected to correspond to a specific service), to prevent spoofing of > security-relevant services like sshd. Okay for the sake of argument let's say that makes sense to me. Should SELinux not somehow communicate this to the user. First we had the scenario where selinux denies and not logs denials (user space object managers) and now we have the scenario where selinux allows even if there is no rule to allow it As a policy writer it gave me confidence to know that "if selinux blocks it logs" and that "selinux denies access by default". Now that those things turn out to not be true. Its a black box. voodoo. > > On Fri, Jan 9, 2015 at 4:05 PM, Dominick Grift <dac.override@xxxxxxxxx> wrote: > > https://bugzilla.redhat.com/show_bug.cgi?id=1174405 > > > > This is a inconsistency in SELinux > > > > > > > > _______________________________________________ > > Selinux mailing list > > Selinux@xxxxxxxxxxxxx > > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. -- Dominick Grift
Attachment:
pgp8sw24xINH8.pgp
Description: PGP signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
