Re: Personal firewall replaced by SELinux ?

[Alan Cox <alan redhat com>]

On Tue, Apr 20, 2004 at 02:29:51PM +0200, David Balazic wrote:
> install, since FC1 IIRC, I don't know what its name is, I believe it is the
> kernel packet filter ) obsoleted by it ?

Not really

> With other words, can SELinux give the same (or mostly same) functionality ?

There is a tiny bit of overlap, but netfilter deals with stuff earlier than
the protocol stack which provides better defence and the ability to defend
aainst protocol level abuses.

SELinux provides a good vehicle for things like virtual hosting where you
want a given virtual host to use a specific address only.

> IMHO, putting a single line of check into the listen() function is much more
> elegant than a complex packet analyzer
> with its complex rules.

You can use the socket filter ioctls to push simple BPF type rules onto
a specific socket, even as a user btw