On Tue, 2007-12-11 at 12:02 -0500, Paul Moore wrote: > After a discussion with Venkat last week we decided that it was probably best > if I took responsibility for the flow control patches and ported/cleaned them > up for inclusion in the labeled networking patches for 2.6.25. In the course > of doing so I ran across the problem of subject/object "ordering" (probably > not the best term, but it's all I can think of right now). In both the "flow > in" and "flow out" cases I'm tempted to use the packet's peer label as the > object just for the sake of consistency and the ability to use the new "peer" > object class for all network peer label access checks. However, I wanted to > make sure that is what everyone had in mind from a conceptual point of view. > See the two simple policy examples below: > > * Packet "flows" into the system, peer label is the object > > allow netif_t peerlbl_t:peer flow_in; > > * Packet "flows" out of the system, peer label is the object > > allow netif_t peerlbl_t:peer flow_out; Can you give an example for the forwarding case? Also, how about in the non-labeled networking case? -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
