Lower Process Capabilities
Bill McGonigle
bill at bfccomputing.com
Tue Jul 28 21:53:53 UTC 2009
On 07/28/2009 04:11 PM, Chris Adams wrote:
> AFAIK SELinux introduces additional controls and does not replace or
> override existing controls. I'm pretty sure non-root still can't
> directly listen on a low-numbered port.
For some reason I thought it was possible with MAC, but I can't find
anything to support that. I might have been thinking of Solaris privileges.
One simple alternative, sure to be unpopular with many, would be to
patch the kernel to skip the low-numbered-port enforcement if SELinux is
running in enforcing mode, and ship policies that do the right thing.
Admins would have to purposely cripple their policies to make this
insecure.
However, init scripts would all have to become selinux savvy and know
how to launch with the old model, which may be too tall an order. It
also makes permissive mode more treacherous.
Still, is such a change less severe than changing what root means? Is
Fedora that committed to SELinux? What's it going to take to make most
people who shut off SELinux stop doing that?
-Bill
--
Bill McGonigle, Owner Work: 603.448.4440
BFC Computing, LLC Home: 603.448.1668
http://www.bfccomputing.com/ Cell: 603.252.2606
Twitter, etc.: bill_mcgonigle Page: 603.442.1833
Email, IM, VOIP: bill at bfccomputing.com
Blog: http://blog.bfccomputing.com/
VCard: http://bfccomputing.com/vcard/bill.vcf
More information about the devel
mailing list