Non-root listening at port < 1024
Stephen Smalley
sds at epoch.ncsc.mil
Mon Nov 15 15:14:16 UTC 2004
On Mon, 2004-11-15 at 10:12, Daniel J Walsh wrote:
> No. SELinux is parallel to normal Linux/Unix protections. So anything
> that is prevented do
> to Normal Unix protections will be prevented in an SELinux System. In
> the future this might
> change.
Note however that you can run a uid 0 process in a particular SELinux
security domain and deny it all capabilities except CAP_NET_BIND_SERVICE
using the SELinux policy, and further use SELinux policy to limit it to
a specific port number or range.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the fedora-selinux-list
mailing list