Christopher J. PeBenito wrote: > On Wed, 2007-05-23 at 15:11 -0700, Ken wrote:>> I became interested in SELinux primarily to increase the level of security I have when I am connected to the Internet, and until recently I have not allowed kernel_t to send or receive rawip over the Internet. I have recently allowed this because I was having difficulty making an online payment without this enabled. Since enabling this, I have wondered what the security implications of allowing kernel_t to send and receive rawip on the Internet are;
> > Its normal behavior, the kernel needs the permission so can handle ICMP > traffic, e.g. ping replies, destination unreachable, etc. >I am aware of ICMP traffic, but even the best programs and protocols can be unexpectedly vulnerable to exploitation; and from a logical perspective, I have (completely and unconditionally) opened my system to allow a particular type of communication with outside connections -- at least with respect to SELinux. My interest is in learning what the logical limits are with respect to what can be sent and received as rawip to and from kernel_t; and what the limitations of what can be done with the data are. I was hoping there is a document compiled somewhere that provides this (and similar) information.
- Ken -
--- Begin Message ---
- From: Ken <mantaray_1 cox net>
- To: "Christopher J. PeBenito" <cpebenito tresys com>
- Subject: Re: kernel_t and rawip
- Date: Fri, 25 May 2007 11:47:09 -0700
Christopher J. PeBenito wrote:I am aware of ICMP traffic, but even the best programs and protocols can be unexpectedly vulnerable to exploitation; and from a logical perspective, I have (completely and unconditionally) opened my system to allow a particular type of communication with outside connections -- at least with respect to SELinux. My interest is in learning what the logical limits are with respect to what can be sent and received as rawip to and from kernel_t; and what the limitations of what can be done with the data are. I was hoping there is a document compiled somewhere that provides this (and similar) information.On Wed, 2007-05-23 at 15:11 -0700, Ken wrote:I became interested in SELinux primarily to increase the level of security I have when I am connected to the Internet, and until recently I have not allowed kernel_t to send or receive rawip over the Internet. I have recently allowed this because I was having difficulty making an online payment without this enabled. Since enabling this, I have wondered what the security implications of allowing kernel_t to send and receive rawip on the Internet are;Its normal behavior, the kernel needs the permission so can handle ICMP traffic, e.g. ping replies, destination unreachable, etc.- Ken -
--- End Message ---