From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
To: "Maciej Żenczykowski" <zenczykowski@gmail.com>
Cc: "David S . Miller" <davem@davemloft.net>,
Linux NetDev <netdev@vger.kernel.org>,
Sean Tranchetti <stranche@codeaurora.org>,
Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>,
Eric Dumazet <edumazet@google.com>,
Linux SCTP <linux-sctp@vger.kernel.org>
Subject: Re: [PATCH] net: introduce ip_local_unbindable_ports sysctl
Date: Wed, 04 Dec 2019 18:27:03 +0000 [thread overview]
Message-ID: <20191204182703.GA5057@localhost.localdomain> (raw)
In-Reply-To: <CAHo-OowLw93a8P=RR=2jXQS92d118L3bNmBrUfPSBP4CDq_Ctg@mail.gmail.com>
On Fri, Nov 29, 2019 at 09:00:19PM +0100, Maciej Żenczykowski wrote:
...
> I'm of the opinion that SELinux and other security policy modules
> should be reserved for things related to system wide security policy.
> Not for things that are more along the lines of 'functionality'.
Makes sense.
>
> Also selinux has 'permissive' mode which causes the system to ignore
> all selinux access controls (in favour of just logging) and this is
> what is commonly used during development (because it's such a pain to
> work with).
Agree, this would be a big problem.
IOW, "you don't have permission to access to this" != "you just can't use this, no
matter what"
FWIW, I rest my case :-)
Thanks,
Marcelo
WARNING: multiple messages have this Message-ID (diff)
From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
To: "Maciej Żenczykowski" <zenczykowski@gmail.com>
Cc: "David S . Miller" <davem@davemloft.net>,
Linux NetDev <netdev@vger.kernel.org>,
Sean Tranchetti <stranche@codeaurora.org>,
Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>,
Eric Dumazet <edumazet@google.com>,
Linux SCTP <linux-sctp@vger.kernel.org>
Subject: Re: [PATCH] net: introduce ip_local_unbindable_ports sysctl
Date: Wed, 4 Dec 2019 15:27:03 -0300 [thread overview]
Message-ID: <20191204182703.GA5057@localhost.localdomain> (raw)
In-Reply-To: <CAHo-OowLw93a8P=RR=2jXQS92d118L3bNmBrUfPSBP4CDq_Ctg@mail.gmail.com>
On Fri, Nov 29, 2019 at 09:00:19PM +0100, Maciej Żenczykowski wrote:
...
> I'm of the opinion that SELinux and other security policy modules
> should be reserved for things related to system wide security policy.
> Not for things that are more along the lines of 'functionality'.
Makes sense.
>
> Also selinux has 'permissive' mode which causes the system to ignore
> all selinux access controls (in favour of just logging) and this is
> what is commonly used during development (because it's such a pain to
> work with).
Agree, this would be a big problem.
IOW, "you don't have permission to access to this" != "you just can't use this, no
matter what"
FWIW, I rest my case :-)
Thanks,
Marcelo
next prev parent reply other threads:[~2019-12-04 18:27 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-27 0:13 [PATCH] net: introduce ip_local_unbindable_ports sysctl Maciej Żenczykowski
2019-11-27 0:13 ` Maciej Żenczykowski
2019-11-27 2:10 ` subashab
2019-11-27 13:14 ` Marcelo Ricardo Leitner
2019-11-27 13:14 ` Marcelo Ricardo Leitner
2019-11-27 20:50 ` Maciej Żenczykowski
2019-11-27 20:50 ` Maciej Żenczykowski
2019-11-27 22:33 ` David Miller
2019-11-27 22:33 ` David Miller
2019-11-27 23:00 ` Marcelo Ricardo Leitner
2019-11-27 23:00 ` Marcelo Ricardo Leitner
2019-11-29 20:00 ` Maciej Żenczykowski
2019-11-29 20:00 ` Maciej Żenczykowski
2019-12-04 18:27 ` Marcelo Ricardo Leitner [this message]
2019-12-04 18:27 ` Marcelo Ricardo Leitner
2019-12-09 22:43 ` Maciej Żenczykowski
2019-12-09 22:43 ` Maciej Żenczykowski
2019-12-09 22:45 ` [PATCH v2] " Maciej Żenczykowski
2019-12-09 22:45 ` Maciej Żenczykowski
2019-12-09 23:42 ` Jakub Kicinski
2019-12-09 23:42 ` Jakub Kicinski
2019-12-10 0:02 ` Maciej Żenczykowski
2019-12-10 0:02 ` Maciej Żenczykowski
2019-12-10 0:18 ` Jakub Kicinski
2019-12-10 0:18 ` Jakub Kicinski
2019-12-10 7:00 ` subashab
2019-12-10 11:46 ` Maciej Żenczykowski
2019-12-10 11:46 ` Maciej Żenczykowski
2019-12-10 17:31 ` Jakub Kicinski
2019-12-10 17:31 ` Jakub Kicinski
2019-12-13 0:16 ` Lorenzo Colitti
2019-12-13 0:16 ` Lorenzo Colitti
2019-12-13 0:47 ` Jakub Kicinski
2019-12-13 0:47 ` Jakub Kicinski
2019-12-13 0:57 ` Lorenzo Colitti
2019-12-13 0:57 ` Lorenzo Colitti
2019-12-13 1:53 ` subashab
2019-12-13 1:53 ` subashab
2019-12-13 2:04 ` Jakub Kicinski
2019-12-13 2:04 ` Jakub Kicinski
2019-12-10 19:28 ` David Miller
2019-12-10 19:28 ` David Miller
[not found] ` <0101016eee9bf9b5-f5615781-f0a6-41c4-8e9d-ed694eccf07c-000000@us-west-2.amazonses.com>
2019-12-10 17:12 ` Jakub Kicinski
2019-12-10 17:12 ` Jakub Kicinski
2019-12-10 18:12 ` subashab
2019-12-13 0:25 ` [PATCH] " Lorenzo Colitti
2019-12-13 0:25 ` Lorenzo Colitti
2019-12-13 11:49 ` Neil Horman
2019-12-13 11:49 ` Neil Horman
2019-12-19 9:35 ` Lorenzo Colitti
2019-12-19 9:35 ` Lorenzo Colitti
2019-12-19 13:17 ` Neil Horman
2019-12-19 13:17 ` Neil Horman
2019-12-19 14:02 ` Lorenzo Colitti
2019-12-19 14:02 ` Lorenzo Colitti
2019-12-19 16:57 ` Neil Horman
2019-12-19 16:57 ` Neil Horman
2019-12-19 17:52 ` David Miller
2019-12-19 17:52 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191204182703.GA5057@localhost.localdomain \
--to=marcelo.leitner@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-sctp@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stranche@codeaurora.org \
--cc=subashab@codeaurora.org \
--cc=zenczykowski@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.