On Tue, May 30, 2006 at 02:58:11PM -0400, James Morris ([EMAIL PROTECTED])
wrote:
> > Apache still can setup routes using ioctl or execve("ip route add/route
> > add");
>
> Depends on the policy. You can specify which types of files/sockets
> apache can perform ioctl on, and whether it can execve 'ip', and if so,
> which security context that runs in, and then whether that security
> context can add routes.
With applications like phpmmyadmin apache must be allowed to perform such
operations no matter hacked it is or not...
> Security in SELinux is not based on the name of the application, it's
> based on the security label bound to the binary being executed.
I know how selinux works.
I see your point, selinux is supposed to control each datflow even if it
sometimes is not that good idea.
> > Anyway you can easily add lsm hook into both sending/receiving pathes in
> > connector code, it fully controls the traffic before it reached socket
> > queue or user's callback.
>
> There are already LSM hooks which allow this, it's a matter of not wanting
> to have to parse arbitrarily implemented Netlink protocols to determine
> what the messages are.
I mean you can control messages based on cn_mcg->id structure, since
cn_msg is a header for all connector messages.
> - James
> --
> James Morris
> <[EMAIL PROTECTED]>
--
Evgeniy Polyakov
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
