On Tue, 8 Jan 2008, Paul Moore wrote: > (quick refresher, the packet's peer label is taken/derived from the original > sending socket and "attached" to the packet via NetLabel or labeled IPsec). > Since the packet's peer label conveys the same label as the sending socket, > using the packet's peer label in place of the sending socket seems to be a > natural fit. > > Agree? Disagree? Other ideas? Agree. I think the forward_in/out thing works. It'd be interesting to see what some fully worked network policy would look like for a couple of cases (e.g. secmark only, or secmark + ipsec). -- James Morris <jmorris@xxxxxxxxx> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
