[redhat-lspp] RE: [PATCH 0/1] selinux: secid reconciliation fixes V01
Venkat Yekkirala
vyekkirala at TrustedCS.com
Mon Oct 9 17:20:15 UTC 2006
> -----Original Message-----
> From: James Morris [mailto:jmorris at namei.org]
> Sent: Monday, October 09, 2006 12:02 PM
> To: Venkat Yekkirala
> Cc: selinux at tycho.nsa.gov; redhat-lspp at redhat.com; paul.moore at hp.com;
> sds at tycho.nsa.gov; eparis at redhat.com; jbrindle at tresys.com
> Subject: RE: [PATCH 0/1] selinux: secid reconciliation fixes V01
>
>
> On Mon, 9 Oct 2006, Venkat Yekkirala wrote:
>
> > I did in fact test inside SELinux, and that's how I found
> > out these were igmp packets. These were getting labeled implicitly
> > with unlabeled_t, and now after labeling thse distinctly,
> policy won't
> > have to grant access to the network to unlabeled packets.
> An alternative
> > is to not flow control any traffic that doesn't have a sock
> associated
> > with it.
>
> This might be worth considering as an intermediate step, and
> multicast
> support can be added later. Just need to make sure it doesn't break
> anything else.
A problem with NOT flow-controlling traffic with no associated sock is
that this (no-flow-control) would also then apply to the forwarded traffic.
I would rather just see what breaks (I seriously doubt it) in beta2 and fix
it.
More information about the redhat-lspp
mailing list