Yes, domain.te calls ipsec_labeled(domain) if the allow_ipsec_label boolean is set to true, so this is provided for all domain types. That answers it. Thanks to everyone who looked at this for me!!! > -----Original Message----- > From: Clarkson, Mike R (US SSA) > Sent: Friday, February 15, 2008 5:48 PM > To: 'Joy Latten' > Cc: selinux@xxxxxxxxxxxxx > Subject: RE: Brindle example of labeled IPSec > > Ohhhhh ... I see your point now. > > The mere fact that I've called domain_type(brindle_client_t) may give me > ipsec_labeled(domain) for free. I'll look into that. > > Thank you!!! > > > -----Original Message----- > > From: Joy Latten [mailto:latten@xxxxxxxxxxxxxx] > > Sent: Friday, February 15, 2008 5:41 PM > > To: Clarkson, Mike R (US SSA) > > Cc: selinux@xxxxxxxxxxxxx > > Subject: RE: Brindle example of labeled IPSec > > > > >I agree with everything that you've mentioned above, the only problem > > >being that my brindle_client and brindle_server modules didn't call the > > >ipsec_labeled interface. That's why I'm confused as to why it is > > >working. It shouldn't be working. > > > > It's been a while and I don't have the policy in front of me, > > so others may be better able to answer this... > > The base reference policy (when using mls) contains this rule. It has a > > rule, ipsec_labeled(domain). > > > > > > regards, > > Joy -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
