[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Lower Process Capabilities



On Tue, Jul 28, 2009 at 17:53:53 -0400,
  Bill McGonigle <bill bfccomputing com> wrote:
> 
> One simple alternative, sure to be unpopular with many, would be to
> patch the kernel to skip the low-numbered-port enforcement if SELinux is
> running in enforcing mode, and ship policies that do the right thing.
> Admins would have to purposely cripple their policies to make this
> insecure.

I think after the selinux involvement in the recent popularized kernel
exploit, that isn't going to happen. Having enforcing mode do things you
can't in permissive mode is dangerous. While xguest will probably stay,
I don't think you'll see too many other cases where selinux will give
you extra privileges.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]