|
|
|
|
|
|
by nailer
4283 days ago
|
|
|
Personally it always felt off that the SELinux approach to something like, say, binding to low ports, was to allow something to run as root to bind to that low port, then control access to that role so it couldn't do other root things. See http://wiki.gentoo.org/wiki/SELinux/Tutorials/Managing_netwo... I'd rather a simpler, file and user based approach. I know that's not role based, but since the `myapp` user matches 1:1 with the role of my app, it seems reasonable: chown /proc/ports/tcp/80 myapp
Yes, that file doesn't exist yet, it's a proposal. Yes this breaks the `all-or-nothing` approach to root special privileges. But `all-or-nothing` is broken, and SELinux just seems to be working around it.Off-topic: 'avc denied' is still one of the worst error messages in Unix. Nobody cares/knows that the access vector cache is part of SELinux. Making it 'SELinux denies' would have made people a lot happier with the system and lost Google a small amount of search engine revenue. |
|
|
So to run a web server as the user myapp (with UID 1234 in this example), you simply load the mac_portacl kernel module and then:
In Linux it seems I can only assign the right to bind to all privileged ports (with cap_net_bind_service), but once every user has that right, that's essentially the same thing as not having privileged ports at all, and we're back to where we started. O_o[0] http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ma...