[redhat-lspp] NetLabel performance numbers
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Thu Jul 13 21:29:45 UTC 2006
On Thu, 13 Jul 2006 17:07:32 EDT, Paul Moore said:
> No, but I don't think anyone has tried yet. That's my next step (at
> this moment I'm trying to fix something I broke during the last round of
> comments) but I don't expect that to be any more of a problem them
> trying to reconcile the existing jumble of networking hooks.
I'll look at that this weekend as well - a quick 5-minute overview
seems to indicate that there won't be any major code collisions, and
Klaus Weidner's "toy policy module" shouldn't conflict on the SELinux side.
Where it gets interesting is that somebody has to go through all the
combinations (both off, both on, etc), and make sure the SECMARK tags
added via iptables and the CIPSO tags added via netlabelctl interact
correctly. In particular, Klaus's module has some 'allow {...}' lines
in them - we need to make sure that those don't short-circuit and let
through a packet that would have failed because none of the SECMARK
rules for foo_packet_t would allow the packet, and vice versa.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/redhat-lspp/attachments/20060713/784fddae/attachment.sig>
More information about the redhat-lspp
mailing list