[redhat-lspp] secid reconciliation and localhost sockets
Paul Moore
paul.moore at hp.com
Wed Oct 11 19:28:20 UTC 2006
Joe Nall wrote:
> On Oct 11, 2006, at 10:36 AM, Paul Moore wrote:
>
>>Joe Nall wrote:
>>
>>>If the secid reconciliation patches don't make RH5, will localhost
>>>IP connections have MLS policy applied?
>>
>>Just a second while I get my dead-horse-beating-mallets out of my
>>desk drawer
>>... there we go.
>>
>>NetLabel, which *should* be present in RHEL5 with full support,
>>works without
>>problem over localhost. This means that, if NetLabel is configured
>>for the
>>sending domain, packets sent to/over/through the localhost
>>interface will carry
>>MLS attributes and will have MLS policy applied as one would expect.
>
> For 240 of the 1024 categories in the current policy :)
Sheesh, Joe, you always have to be so picky ;)
> Netlabel/CIPSO is great for talking to other operating systems, but
> if it the _only_ mechanism to label local IP sockets, we have a problem.
As it stands, I believe it is the only mechanism able to label local IP sockets
that is currently in the RHEL5 kernel. One possibile workaround would be to use
UNIX domain sockets if you know you will be talking to a process on the local
machine.
--
paul moore
linux security @ hp
More information about the redhat-lspp
mailing list