On Fri, 30 Sep 2005, Gregory Maxwell wrote: > > We proably need to rethink the way IP sockets default to 'raw', as new IP > > protocols are sometimes developed (DCCP has just been implemented) and we > > don't know that the 'raw' IP controls always appropriate. > > In many cases the use of new protocols is so special use that it > wouldn't hurt to give apps raw until better support is added. For > example, a routing daemon speaking OSPF. Agreed. All of the checks for 'raw' sockets are at the IP level, so hopefully nothing will break. > SCTP obviously will need full support, since it will eventually be > used as a general purpose transport in many applications and may > eventually supplant TCP and UDP in some places. It would be nice if > SElinux could step up to controlling the ability to control all > address bindings (i.e. application X can only form connections on the > secure network), but since they can be added and removed on an active > connection that might be interesting. > > Is there currently the ability to control IPSec behavior from SElinux > (i.e. application X can only use TCP across an encrypted link), if so > that might provide some guidance in how to make some of the extra sctp > knobs look.. There's some work heading upstream integrating SELinux and IPSec, check the recent netdev archives. - James -- James Morris <jmorris@xxxxxxxxx> -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
