Hi, I'm not sure I understand the "performance" impact considerations. Indeed, if we were to try to control the binding to 'ephemeral' ports individually, the looping that Stephen proposed would definitely have a huge impact if all port are denied (as the kernel will have to loop over all of them to find out that all bindings are denied). However, does considering all these ports individually make sense? If we can consider them as a group, not individually, I believe that we could control 'ephemeral' bindings with almost no performance hit. For example, we could create a permission 'ephemeral_bind' in addition to bind and named_bind: - bind controls the ability to invoke the bind system calls - named_bind controls the ability to bind a given non ephemeral port - ephemeral_bind would controls the ability to bind any 'ephemeral' port Would that make sense? I'm not a kernel/selinux developper, so I can't judge the amount of work needed to implement such a solution, but I don't think that this issue can be discarded for 'performance' reasons. Cheers, Vincent Brillault _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
