On Thu, 2010-03-25 at 14:34 -0400, Stephen Smalley wrote: > But the behavior for the new connection/server socket was changed for > MLS during the LSPP work to reflect the level of the client. This makes > sense when you have a single-level client connecting to a ranged server > - the connection is then established at the requesting level and the > traffic is labeled and protected accordingly. I still don't understand why MLS is some 'other' class citizen of the context. If it makes sense to reflect the level it should make sense to reflect the type, and role, and user, if they are available. Doesn't it? I know that some labeling magic (CIPSO) don't deal with anything but the level and thus the only thing we can/should do is play with the level, but when we have the info (unix domain sockets and I think some IPSec labeling right), why do we discard that additional info that makes these things 'make sense'? -Eric -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
