On Tuesday 19 February 2008 7:59:22 pm Kohei KaiGai wrote: > Is it acceptable one, if we provide an interface to allow a domain > to communicate postgresql_t via labeled networking, separated from > existing permissions for local ports and nodes? > > For example: > -- at postgresql.if > interface(`postgresql_labeled_connect',` > gen_require(` > type postgresql_t; > ') > corenet_tcp_recvfrom_labeled($1,postgresql_t) > ') > > and > -- at apache.te > postgresql_labeled_connect(httpd_t) > > I think this approach enables to keep independency between modules > in unlabeled networking cases too. For what it is worth, it looks like a good idea to me. -- paul moore linux security @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
