[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Lower Process Capabilities



On 07/28/2009 04:11 PM, Chris Adams wrote:
> AFAIK SELinux introduces additional controls and does not replace or
> override existing controls.  I'm pretty sure non-root still can't
> directly listen on a low-numbered port.

For some reason I thought it was possible with MAC, but I can't find
anything to support that.  I might have been thinking of Solaris privileges.

One simple alternative, sure to be unpopular with many, would be to
patch the kernel to skip the low-numbered-port enforcement if SELinux is
running in enforcing mode, and ship policies that do the right thing.
Admins would have to purposely cripple their policies to make this
insecure.

However, init scripts would all have to become selinux savvy and know
how to launch with the old model, which may be too tall an order.  It
also makes permissive mode more treacherous.

Still, is such a change less severe than changing what root means?  Is
Fedora that committed to SELinux?  What's it going to take to make most
people who shut off SELinux stop doing that?

-Bill

-- 
Bill McGonigle, Owner           Work: 603.448.4440
BFC Computing, LLC              Home: 603.448.1668
http://www.bfccomputing.com/    Cell: 603.252.2606
Twitter, etc.: bill_mcgonigle   Page: 603.442.1833
Email, IM, VOIP: bill bfccomputing com
Blog: http://blog.bfccomputing.com/
VCard: http://bfccomputing.com/vcard/bill.vcf


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]