Personal firewall replaced by SELinux ?
Alan Cox
alan at redhat.com
Tue Apr 20 15:41:04 UTC 2004
On Tue, Apr 20, 2004 at 02:29:51PM +0200, David Balazic wrote:
> install, since FC1 IIRC, I don't know what its name is, I believe it is the
> kernel packet filter ) obsoleted by it ?
Not really
> With other words, can SELinux give the same (or mostly same) functionality ?
There is a tiny bit of overlap, but netfilter deals with stuff earlier than
the protocol stack which provides better defence and the ability to defend
aainst protocol level abuses.
SELinux provides a good vehicle for things like virtual hosting where you
want a given virtual host to use a specific address only.
> IMHO, putting a single line of check into the listen() function is much more
> elegant than a complex packet analyzer
> with its complex rules.
You can use the socket filter ioctls to push simple BPF type rules onto
a specific socket, even as a user btw
More information about the fedora-test-list
mailing list