selinux_socket_bind hook
Stephen Smalley
sds at tycho.nsa.gov
Thu Apr 28 16:49:47 UTC 2005
On Thu, 2005-04-28 at 12:32 -0400, Steve Brueckner wrote:
> In trying to segment networking into two domains I seem to have overlooked
> that name_bind doesn't get enforced for ports within the machine's local
> port range (i.e. ports assigned by the kernel). I suppose I could try to
> hack the LSM selinux_socket_bind hook to enforce name_bind for all ports;
> would that be possible? I'd rather not, though, since I've never ventured
> deeper than SELinux policy, and delving into the mechanism scares me. Is it
> possible to somehow implement a boolean that would toggle whether name_bind
> was enforced for all ports or just for ports outside the local port range?
That hook is only applied for explicit bind(2) calls by applications.
auto-binding of unbound sockets by the kernel (e.g. when sending on an
unbound socket) will never hit that hook at all. You would need to
modify udp_v4_get_port and tcp_v4_get_port to check permission and keep
scanning for another available port until one is allowed. Not likely to
make much headway upstream.
--
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency
More information about the fedora-selinux-list
mailing list