kernel_t and rawip
Ken
mantaray_1 at cox.net
Fri May 25 18:53:56 UTC 2007
I inadvertently sent this to cpebenito at tresys.com rather than to the
list. Here it is for the list:
Christopher J. PeBenito wrote:
> On Wed, 2007-05-23 at 15:11 -0700, Ken wrote:
>> I became interested in SELinux primarily to increase the level of
security I have when I am connected to the Internet, and until recently
I have not allowed kernel_t to send or receive rawip over the Internet.
I have recently allowed this because I was having difficulty making
an online payment without this enabled. Since enabling this, I have
wondered what the security implications of allowing kernel_t to send and
receive rawip on the Internet are;
>
> Its normal behavior, the kernel needs the permission so can handle ICMP
> traffic, e.g. ping replies, destination unreachable, etc.
>
I am aware of ICMP traffic, but even the best programs and
protocols can be unexpectedly vulnerable to exploitation; and from a
logical perspective, I have (completely and unconditionally) opened my
system to allow a particular type of communication with outside
connections -- at least with respect to SELinux. My interest is in
learning what the logical limits are with respect to what can be sent
and received as rawip to and from kernel_t; and what the limitations of
what can be done with the data are. I was hoping there is a document
compiled somewhere that provides this (and similar) information.
- Ken -
-------------- next part --------------
An embedded message was scrubbed...
From: Ken <mantaray_1 at cox.net>
Subject: Re: kernel_t and rawip
Date: Fri, 25 May 2007 11:47:09 -0700
Size: 1923
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20070525/fd9280e4/attachment.eml>
More information about the fedora-selinux-list
mailing list