Lower Process Capabilities
Bruno Wolff III
bruno at wolff.to
Tue Jul 28 23:15:10 UTC 2009
On Tue, Jul 28, 2009 at 17:53:53 -0400,
Bill McGonigle <bill at bfccomputing.com> wrote:
>
> One simple alternative, sure to be unpopular with many, would be to
> patch the kernel to skip the low-numbered-port enforcement if SELinux is
> running in enforcing mode, and ship policies that do the right thing.
> Admins would have to purposely cripple their policies to make this
> insecure.
I think after the selinux involvement in the recent popularized kernel
exploit, that isn't going to happen. Having enforcing mode do things you
can't in permissive mode is dangerous. While xguest will probably stay,
I don't think you'll see too many other cases where selinux will give
you extra privileges.
More information about the fedora-devel-list
mailing list