On Fri, 2009-07-24 at 17:44 -0400, Simo Sorce wrote: > On Fri, 2009-07-24 at 16:21 -0500, Bruno Wolff III wrote: > > I thought the idea was to label packets based on source and > > destination > > (including ports) not application. Applications would get access to > > the > > packets based on their context and the context (labels) of the > > packets. > > I may have misunderstood though. > > What's the value of labeling packets based on source/destination ports ? > Doesn't seem to add any new information. > > If I get a packet for port 8080 it's always going to whatever > application is listen on port 8080, unless you label the packet with an > application context SElinux does not have any more information. > > now if you allow to apply application labels to packets then you could > say that packets directed to 8080 are labeled squid_t and not apache_t > and that would make quite a difference. > > It would prevent a rogue apache that gets to listen to 8080 to get any > packet as they would be labeled squid_t which is not apache_t. Sorry Bruno, after re-readying what you said I think we meant basically the same thing. Simo. -- Simo Sorce * Red Hat, Inc * New York -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
