Lower Process Capabilities
Stephen Smalley
sds at tycho.nsa.gov
Wed Jul 29 12:36:46 UTC 2009
On Tue, 2009-07-28 at 17:53 -0400, Bill McGonigle wrote:
> On 07/28/2009 04:11 PM, Chris Adams wrote:
> > AFAIK SELinux introduces additional controls and does not replace or
> > override existing controls. I'm pretty sure non-root still can't
> > directly listen on a low-numbered port.
>
> For some reason I thought it was possible with MAC, but I can't find
> anything to support that. I might have been thinking of Solaris privileges.
There was a patch floated on selinux list circa June 2007 that would
have allowed SELinux to directly grant capabilities. But it met a
certain amount of resistance from people concerned about the
implications of changing the historical position that SELinux only
further restricts access and about how to handle states like permissive
mode, selinux-disabled, etc seamlessly.
http://marc.info/?l=selinux&m=118159187318524&w=2
http://marc.info/?l=selinux&m=118192327422630&w=2
http://marc.info/?l=selinux&m=118191791828777&w=2
--
Stephen Smalley
National Security Agency
More information about the fedora-devel-list
mailing list