On Sun, 29 Sep 2002, Olaf Dietsche wrote: > AFAICS, it looks like you can make _additional_ checks only. You still > have to grant CAP_NET_BIND_SERVICE for binding to ports below PROT_SOCK. > So, this doesn't look like a viable solution for me. You can grant CAP_NET_BIND_SERVICE to all processes via the capable() hook, and then use the socket_bind() hook to control access authoritatively to ports. It is true that SELinux only uses socket_bind restrictively (to impose an additional domain-based control on port binding), but you should be able to use it authoritatively as described above. -- Stephen D. Smalley, NAI Labs ssmalleyat_private _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Mon Sep 30 2002 - 05:08:28 PDT