bittorrent in core? what frontend?
Stephen Pollei
stephen_pollei at comcast.net
Sat Dec 17 20:28:13 UTC 2005
On Sat, 2005-12-17 at 07:53, Michael A. Peters wrote:
> On Sat, 2005-12-17 at 07:41 -0500, Sean wrote:
> > You don't want a static
> > firewall rule for a process that is only running occasionally. No, what
> > you want is an appropriate firewall rule set only for the time that BT is
> > actually running. Anything else is a security risk in itself.
Actually shouldn't the strict selinux policy cover this type of thing
much better. Not only just while BT is running, but only BT the app can
listen on that port range?
> Oh I see what you are saying.
> When trusted application foo is being run by user in trusted group bar
> (or open for any user) - the firewall will open ports xxxx to yyyy
> should foo request they be opened - for the duration that foo is
> running.
yes and that request should just be the bind(sockfd, my_addr, addrlen);
The kernel should be able to decide to grant that request based on the
information it has being a "trusted" app(selinux context label), run by
trusted user(uid,gid,selinux domain).
>
> That would be slick.
It would be slicker if only the BT app could use those ports and you
didn't have to dynamically punch holes in the firewall.
--
http://dmoz.org/profiles/pollei.html
http://sourceforge.net/users/stephen_pollei/
http://www.orkut.com/Profile.aspx?uid=2455954990164098214
http://stephen_pollei.home.comcast.net/
http://www.biglumber.com/x/web?sn=Stephen+Pollei
https://keyserver-beta.pgp.com/vkd/DownloadKey.event?keyid=0x910F6BB54A7D9677
GPG Key fingerprint = EF6F 1486 EC27 B5E7 E6E1 3C01 910F 6BB5 4A7D 9677
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20051217/4f6067bd/attachment.sig>
More information about the fedora-devel-list
mailing list