[redhat-lspp] [PATCH] lsm-secpeer for IPSec labels
Paul Moore
paul.moore at hp.com
Wed Sep 14 15:26:17 UTC 2005
George Wilson wrote:
>
> The patch enables the SELinux LSM to set the peer security context for
> a socket based on the security context of the IPSec security
> association. The application may retrieve this context using
> getsockopt. When called, the kernel determines if the socket is a
> connected (TCP_ESTABLISHED) TCP socket and, if so, uses the dst_entry
> cache on the socket to retrieve the security associations. If a
> security association has a security context, the context string is
> returned, as for UNIX domain sockets.
>
Is there any reason why we are limiting ourselves to connected TCP
sockets? I understand that due to the nature of the sockets and the
fact that we are only implicitly labeling them via the SA it would be
much more difficult, but what about UDP based applications?
--
. paul moore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. paul.moore at hp.com hewlett packard
. (603) 884-5056 linux security
More information about the redhat-lspp
mailing list