[redhat-lspp] Re: labeled ipsec policy
Joy Latten
latten at austin.ibm.com
Wed Nov 29 23:51:56 UTC 2006
On Wed, 2006-11-29 at 14:42 -0600, Venkat Yekkirala wrote:
> > I'm not very sure how users will use the SPD labeling. I suspect that
> > they will be labeled with probably the other side's domain type. For
> > example, if httpd_t and mozilla_t are connected, the SPD would be
> > mozilla_t on the http machine and httpd_t on the mozilla machine.
> >
>
> In the simplest case, you would just have a generic "labeled_ipsec_t" Type
> that would be specified for all the spd rules that pertain to labeled-ipsec.
> All the different domains that need to use labeled-ipsec would then polmatch
> to labeled_ipsec_t.
>
> The SAs will always and automatically be using the originating domain Type.
> So, the SA from the client to server would be auto-labeled mozilla_t,
> rss_aggregator_t, etc. (on both ends), and the SA from the server to client
> would be auto-labeled httpd_t (again on both ends).
Ok, so then I will go with my original idea of a type ipsec_spd_t and
create an interface that allows sysadmins to create selinux policy for
"polmatching" ipsec SAs to the ipsec policy type, ipsec_spd_t. Thanks!!
Joy
More information about the redhat-lspp
mailing list