Firewall rules using SELinux context (Was Re: RFE: FireKit)
Bruno Wolff III
bruno at wolff.to
Fri Jul 24 21:21:17 UTC 2009
On Fri, Jul 24, 2009 at 16:55:23 -0400,
Steve Grubb <sgrubb at redhat.com> wrote:
>
> I don't think I explained it well. I was thinking what if you had this rule:
>
> -A INPUT -Z cups_t -j ACCEPT
>
> and then cups was compromised and started listening on port 80. Since the
> above rule has no port restrictions and cups is allowed to accept connections,
> would cups now be able to start serving web pages?
I thought the idea was to label packets based on source and destination
(including ports) not application. Applications would get access to the
packets based on their context and the context (labels) of the packets.
I may have misunderstood though.
More information about the devel
mailing list