<snip>
> > There are 2 aspects:
> >
> > 1. IPsec policy matching discussed above:
> > allow domain-that-should-use-labeled-ipsec
> ipsec_spd_t:association { polmatch };
> >
> > 2. Use of IPsec associations themselves:
> >
> > For sending:
> > allow
> domain-that-should-use-labeled-ipsec-to-label-its-packets
> self:association { sendto };
> >
> > For receiving:
> > allow domain-that-should-received-from-peer peer-domain
> self:association { recvfrom };
>
> When we consider the case unconfined_t process tries to
> communicate with a postgresql_t
> process running on another host via labeled IPsec, the
> following policy will be needed.
>
> 1. allow unconfined_t ipsec_spd_t : association { polmatch };
Also, allow postgresql_t ipsec_spd_t : association { polmatch };
since the incoming packet labeled postgresql_t should be checked
against IPsec policy (SPD) rule labeled with ipsec_spd_t.
> 2s. allow unconfined_t self : association { sendto };
OK.
> 2r. allow postgresql_t unconfined_t : association { recvfrom };
This should actually be:
allow unconfined_t postgresql_t : association { recvfrom };
since it would be the unconfined_t socket that would be receiving
a packet using the postgresql_t association.
>
> Is it correct?
>
<snip>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
