Firewall rules using SELinux context (Was Re: RFE: FireKit)
Roland McGrath
roland at redhat.com
Fri Jul 24 21:00:23 UTC 2009
> I don't think I explained it well. I was thinking what if you had this rule:
>
> -A INPUT -Z cups_t -j ACCEPT
>
> and then cups was compromised and started listening on port 80. Since the
> above rule has no port restrictions and cups is allowed to accept connections,
> would cups now be able to start serving web pages?
I think the idea was that cups_t is a key into policy so that policy
expresses what this iptables rule means, not that the rule says "treat
whatever any cups_t process happens to be doing this way".
At least, that's the good idea. ;-)
Thanks,
Roland
More information about the devel
mailing list