On Fri, 2009-07-24 at 16:21 -0500, Bruno Wolff III wrote: > I thought the idea was to label packets based on source and > destination > (including ports) not application. Applications would get access to > the > packets based on their context and the context (labels) of the > packets. > I may have misunderstood though. What's the value of labeling packets based on source/destination ports ? Doesn't seem to add any new information. If I get a packet for port 8080 it's always going to whatever application is listen on port 8080, unless you label the packet with an application context SElinux does not have any more information. now if you allow to apply application labels to packets then you could say that packets directed to 8080 are labeled squid_t and not apache_t and that would make quite a difference. It would prevent a rogue apache that gets to listen to 8080 to get any packet as they would be labeled squid_t which is not apache_t. Simo. -- Simo Sorce * Red Hat, Inc * New York -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
