On Thu, 2008-08-28 at 21:22 -0700, Casey Schaufler wrote: > Trent Jaeger wrote: > > ... > >> > >> However it sounded like you could just use setsockcreatecon(3) to > >> achieve your goal, which would be cleaner than relabeling an existing > >> socket. > > > > Yes, that works for what we are doing now. I'd be curious if someone > > has a need beyond setting a label on creation. > > > > Sure, any service that wants to serve clients with a variety of labels. > The X server is an obvious candidate. A multi-label message bus. Label > aware sendmail. xinetd. Name services (the YP/NIS of the day). Anywhere > you want the label of the response to depend on the label of the request. > Yes, we're talking about Trusted Applications here, and specially coded > ones at that. Sometimes that's the best way. The application doesn't have to relabel the socket to achieve that - we handle that when we compute the label for the new connection socket based in part on the label of the connecting request. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
