Re: [PATCH] accessfs v0.6 ported to 2.5.35-lsm1 - 1/2

From: Stephen Smalley (sdsat_private)
Date: Mon Sep 30 2002 - 05:06:16 PDT

  • Next message: Serge E. Hallyn: "Re: graft_tree/attach_mnt rfc"

    On Sun, 29 Sep 2002, Olaf Dietsche wrote:
    
    > AFAICS, it looks like you can make _additional_ checks only. You still
    > have to grant CAP_NET_BIND_SERVICE for binding to ports below PROT_SOCK.
    > So, this doesn't look like a viable solution for me.
    
    You can grant CAP_NET_BIND_SERVICE to all processes via the capable()
    hook, and then use the socket_bind() hook to control access
    authoritatively to ports.  It is true that SELinux only uses socket_bind
    restrictively (to impose an additional domain-based control on port
    binding), but you should be able to use it authoritatively as described
    above.
    
    --
    Stephen D. Smalley, NAI Labs
    ssmalleyat_private
    
    
    
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Mon Sep 30 2002 - 05:08:28 PDT