On Mon, 2005-04-25 at 08:38 -0400, Stephen Smalley wrote: > On Fri, 2005-04-22 at 14:58 -0400, James Morris wrote: > > On Fri, 22 Apr 2005, Steve Brueckner wrote: > > > > > return ephemeral ports. Or is there a chance of re-visiting the idea of > > > getting labeled networking into the kernel? > > > > Work is being done on labeled networking via IPsec, see Trent Jaeger's > > paper at http://www.selinux-symposium.org/2005/agenda.php > > True, but I don't think this will help much in this particular case, as > the original poster wants to control information flow via loopback and > you aren't likely to be using IPSEC on such traffic. In the absence of > a sk_buff security field and associated hooks for lifecycle management, > I think that we'd have to go with something like the iptables MARK > module, ala LIDS. Actually, Thomas Bleher's suggestion of extending the ipt owner module might be better. -- Stephen Smalley <sds@xxxxxxxxxxxxx> National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
