[redhat-lspp] Re: labeled ipsec policy
Venkat Yekkirala
vyekkirala at trustedcs.com
Thu Nov 30 15:57:08 UTC 2006
> > > I'm not very sure how users will use the SPD labeling. I
> suspect that
> > > they will be labeled with probably the other side's
> domain type. For
> > > example, if httpd_t and mozilla_t are connected, the SPD would be
> > > mozilla_t on the http machine and httpd_t on the mozilla machine.
> > >
> >
> > In the simplest case, you would just have a generic
> "labeled_ipsec_t" Type
> > that would be specified for all the spd rules that pertain
> to labeled-ipsec.
> > All the different domains that need to use labeled-ipsec
> would then polmatch
> > to labeled_ipsec_t.
> >
> > The SAs will always and automatically be using the
s/always/always (when the spd rule has a context associate with it)/
> originating domain Type.
> > So, the SA from the client to server would be auto-labeled
> mozilla_t,
> > rss_aggregator_t, etc. (on both ends), and the SA from the
> server to client
> > would be auto-labeled httpd_t (again on both ends).
>
> Ok, so then I will go with my original idea of a type ipsec_spd_t and
> create an interface that allows sysadmins to create selinux policy for
> "polmatching" ipsec SAs to the ipsec policy type,
> ipsec_spd_t. Thanks!!
>
> Joy
>
More information about the redhat-lspp
mailing list