How best (BUT WHY) get rid of SELinux?
Bruno Wolff III
bruno at wolff.to
Fri Sep 28 05:43:40 UTC 2007
On Thu, Sep 27, 2007 at 00:12:12 -0400,
Ric Moore <wayward4now at gmail.com> wrote:
>
> NOW you've got my attention. I actually need something just like that.
> As a matter of fact, if you could REALLY lock down the front porch,
> restricting service to just your subnets, and a local DNS server, you
> wouldn't need the guards inside to be set strict? As much? Tell me about
> this... inquiring minds want to know. What's the real deal? Ric
I have just seen discussions for patches dealing with this on the selinux list.
I don't know what exactly the final plan is supposed to be. I believe you are
supposed to be able to attach context to packets based on host and port
information. This allows you to at least label packets based on address and
port information reliably (as much as you can trust the ipsec signatures). I
don't know if the sender of a packet will be able to attach context to packets
that the recipient can use.
More information about the fedora-list
mailing list