[redhat-lspp] secid reconciliation and localhost sockets
Paul Moore
paul.moore at hp.com
Wed Oct 11 15:36:31 UTC 2006
Joe Nall wrote:
> If the secid reconciliation patches don't make RH5, will localhost
> IP connections have MLS policy applied?
Just a second while I get my dead-horse-beating-mallets out of my desk drawer
... there we go.
NetLabel, which *should* be present in RHEL5 with full support, works without
problem over localhost. This means that, if NetLabel is configured for the
sending domain, packets sent to/over/through the localhost interface will carry
MLS attributes and will have MLS policy applied as one would expect. NetLabel
doesn't carry the full context (yet, but that's a different topic altogether) so
you will still have to deal with the context having "unlabeled_t" for a type but
considering that most MLS aware apps (I'm thinking of xinetd right now) are
probably not going to care about the TE portion of the context it probably isn't
too big a deal right now.
--
paul moore
linux security @ hp
More information about the redhat-lspp
mailing list