On Tue, Jul 28, 2009 at 17:53:53 -0400,
Bill McGonigle <bill(a)bfccomputing.com> wrote:
One simple alternative, sure to be unpopular with many, would be to
patch the kernel to skip the low-numbered-port enforcement if SELinux is
running in enforcing mode, and ship policies that do the right thing.
Admins would have to purposely cripple their policies to make this
insecure.
I think after the selinux involvement in the recent popularized kernel
exploit, that isn't going to happen. Having enforcing mode do things you
can't in permissive mode is dangerous. While xguest will probably stay,
I don't think you'll see too many other cases where selinux will give
you extra privileges.