I'm doing some spring cleaning on refpolicy, cleaning out some old unused/unnecessary networking permissions. I'm trying to make sure I have the permissions checks straight, since labeled networking isn't common use. For labeled IPsec, we have the following permissions (assuming all policy capabilities are on--assume maximum checks): netif: ingress/egress node: sendto/recvfrom peer: recv association: sendto/recvfrom I'm told that association perms are checked in the following cases: sendto: when a packet leaves the box (legacy only) and when a SA/flow is checked recvfrom: when an incoming packet is queued on a socket (legacy only) Does "legacy only" mean the checks will eventually go away, or is it for a legacy IPsec configuration? -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
