selinux_socket_bind hook
Steve Brueckner
steve at atc-nycorp.com
Thu Apr 28 16:32:36 UTC 2005
In trying to segment networking into two domains I seem to have overlooked
that name_bind doesn't get enforced for ports within the machine's local
port range (i.e. ports assigned by the kernel). I suppose I could try to
hack the LSM selinux_socket_bind hook to enforce name_bind for all ports;
would that be possible? I'd rather not, though, since I've never ventured
deeper than SELinux policy, and delving into the mechanism scares me. Is it
possible to somehow implement a boolean that would toggle whether name_bind
was enforced for all ports or just for ports outside the local port range?
Thanks,
- Steve Brueckner, ATC-NY
More information about the selinux
mailing list