Stephen Smalley <sdsat_private> writes: > On Sun, 29 Sep 2002, Olaf Dietsche wrote: > >> AFAICS, it looks like you can make _additional_ checks only. You still >> have to grant CAP_NET_BIND_SERVICE for binding to ports below PROT_SOCK. >> So, this doesn't look like a viable solution for me. > > You can grant CAP_NET_BIND_SERVICE to all processes via the capable() > hook, and then use the socket_bind() hook to control access > authoritatively to ports. It is true that SELinux only uses socket_bind > restrictively (to impose an additional domain-based control on port > binding), but you should be able to use it authoritatively as described > above. Of course, I can do that. I could even be more selective and do setcap() for those processes, which were permitted to access the restricted ports. But, as I wrote in my other mail, that opens access to other net protocols, which is not what I want. All things considered, when I use other protocols besides TCP/IP, this would make my system less secure than before. Anyway, maybe it looks like I'm nit-picking here, but I just wanted to make clear, why I suggested this hook. Thanks for listening. Regards, Olaf. _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Mon Sep 30 2002 - 07:41:21 PDT