[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Firewall rules using SELinux context (Was Re: RFE: FireKit)



On Fri, Jul 24, 2009 at 16:55:23 -0400,
  Steve Grubb <sgrubb redhat com> wrote:
> 
> I don't think I explained it well. I was thinking what if you had this rule:
> 
> -A INPUT -Z cups_t -j ACCEPT
> 
> and then cups was compromised and started listening on port 80. Since the 
> above rule has no port restrictions and cups is allowed to accept connections, 
> would cups now be able to start serving web pages?

I thought the idea was to label packets based on source and destination
(including ports) not application. Applications would get access to the
packets based on their context and the context (labels) of the packets.
I may have misunderstood though.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]