>
> mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
> (( h1 dom h2 ) or ( t1 == mcsnetwrite ));
>
>
> For some reason we do not do this in MLS policy. Does anyone
> know why we don't do this for MLS?
>
I believe it is because we didn't make ports in MLS labeled objects. On
other trusted network implementations, there was the idea of
polyinstantiated ports so every label could always have one. We didn't
do that on Linux, we just allow the port access to be first come, first
serve and let TE instead of MLS define what application should be using
the port. There could be connections coming into to the port at multiple
levels if application is a trusted service and has the ability to talk
to each of the clients.
-Chad
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
