On Tue, 30 Jun 2009, Paul Moore wrote: > So how do we fix it? Well, there are a two options that I can think of right > now (feel free to add to the list): > > 1. Set the sock's label/SID in sk_alloc() > 2. Introduce a new hook to set the label/SID of a sock and call it from > tun_set_iff() > > The problem with #2 is that it introduces a new (basically TUN specific) hook > to do something silly. Important, but still kinda silly. The problem with #1 > is that we currently set the sock's label/SID in selinux_socket_post_create() > and match it with the inode's label/SID which has the potential to get ugly (I > haven't verified all of those cases yet). However, there may be an > alternative, call it #1a, where set label the sock in sk_alloc() and then use > the sock's label to set the inode's label in socket_post_create(); this should > solve the potential ugliness. > > Thoughts? I'm not sure, but we probably need to include the netdev list in the discussion. -- James Morris <jmorris@xxxxxxxxx> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
