[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Firewall rules using SELinux context (Was Re: RFE: FireKit)



On 07/24/2009 04:55 PM, Steve Grubb wrote:
> I don't think I explained it well. I was thinking what if you had this rule:
> 
> -A INPUT -Z cups_t -j ACCEPT
> 
> and then cups was compromised and started listening on port 80. Since the 
> above rule has no port restrictions and cups is allowed to accept connections, 
> would cups now be able to start serving web pages?
> 
> -Steve

That would be a bad rule. The Apache example I posted only makes sense because Apache can be listening on pretty much any port anyway (every http deployment I see is stranger than the last). For cups it is a lot rarer for an admin to configure a strange port, so we'd want to combine -Z with further rules like port and host restrictions.

--CJD


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]