[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: Limiting IPC with SELinux?



On Mon, 25 Apr 2005, Stephen Smalley wrote:

> True, but I don't think this will help much in this particular case, as
> the original poster wants to control information flow via loopback and
> you aren't likely to be using IPSEC on such traffic.

You could use null encryption and null authentication.

Another possibility is to implement SO_PEERSEC for loopback TCP, although 
I think it requires more LSM hooks.

> In the absence of a sk_buff security field and associated hooks for
> lifecycle management, I think that we'd have to go with something like
> the iptables MARK module, ala LIDS.

I think this is at the wrong layer; how would you query the socket for 
peer security information?


- James
-- 
James Morris
<jmorris redhat com>




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]