From: Dominick Grift <dac.override@gmail.com>
To: selinux <selinux@tycho.nsa.gov>
Subject: Re: RFC: https://bugzilla.redhat.com/show_bug.cgi?id=1174405
Date: Fri, 9 Jan 2015 23:19:11 +0100 [thread overview]
Message-ID: <20150109221910.GA11417@bigboy.network2> (raw)
In-Reply-To: <CAB9W1A3Y_+gZv=ZWGTGvuk_z8P_Ys7SVNAUz8wRCS1EDW_dcJg@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1526 bytes --]
On Fri, Jan 09, 2015 at 04:52:18PM -0500, Stephen Smalley wrote:
> Ports in the local port range can be auto-assigned by the kernel to
> unbound sockets on first use. So it makes no sense to control them,
> and there isn't even an LSM hook in the place where such auto-port
> selection occurs. Controlling binding to ports is only useful when
> the port number is a "name" (i.e. a well-defined value that is
> expected to correspond to a specific service), to prevent spoofing of
> security-relevant services like sshd.
Okay for the sake of argument let's say that makes sense to me. Should SELinux not somehow communicate this to the user.
First we had the scenario where selinux denies and not logs denials (user space object managers) and now we have the scenario where
selinux allows even if there is no rule to allow it
As a policy writer it gave me confidence to know that "if selinux blocks it logs" and that "selinux denies access by default". Now that those things turn out to not be true. Its a black box. voodoo.
>
> On Fri, Jan 9, 2015 at 4:05 PM, Dominick Grift <dac.override@gmail.com> wrote:
> > https://bugzilla.redhat.com/show_bug.cgi?id=1174405
> >
> > This is a inconsistency in SELinux
> >
> >
> >
> > _______________________________________________
> > Selinux mailing list
> > Selinux@tycho.nsa.gov
> > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
--
Dominick Grift
[-- Attachment #2: Type: application/pgp-signature, Size: 648 bytes --]
next prev parent reply other threads:[~2015-01-09 22:19 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-09 21:05 RFC: https://bugzilla.redhat.com/show_bug.cgi?id=1174405 Dominick Grift
2015-01-09 21:52 ` Stephen Smalley
2015-01-09 22:19 ` Dominick Grift [this message]
2015-01-09 22:22 ` eric gisse
2015-01-10 3:02 ` Paul Moore
2015-01-10 9:56 ` Dominick Grift
2015-01-10 16:49 ` Stephen Smalley
2015-01-10 17:19 ` Dominick Grift
2015-01-10 17:43 ` Dominick Grift
2015-01-10 18:54 ` Stephen Smalley
2015-01-10 19:15 ` Dominick Grift
2015-01-10 20:39 ` Vincent Brillault
2015-01-12 16:29 ` Stephen Smalley
2015-01-11 15:49 ` Paul Moore
2015-01-11 16:23 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150109221910.GA11417@bigboy.network2 \
--to=dac.override@gmail.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.