On 12/02/2016 05:39 PM, Paul Moore wrote: > On Fri, Dec 2, 2016 at 12:40 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: >> I suppose a further question on this patch is whether it should also add >> new classes for ICMP, IGMP, and SCTP sockets (any others that are >> presently mapped to SECCLASS_RAWIP_SOCKET that ought to be given their >> own class?). In the SCTP case, this would at least allow them to be >> distinguished, but we would still lack the full support added by the >> separate SCTP patchset. > > For the record, I'm okay with this patch and I agree that the > compatibility concerns aren't likely to be significant. However, I > would like to continue the discussion on the idea to include classes > for ICMP, IGMP, and SCTP. I haven't looked into ICMP or IGMP, but > considering the changes necessary for SCTP I think it is okay to leave > SCTP out for now and add it in with proper SCTP support (and its own > policy capability). > > Stephen, I'm assuming you feel the same since you left that out of the patch? It depends on whether we think full SCTP support will be merged sooner or later. If there is the possibility that full SCTP support will not be merged for a while, then I think I'd rather just add a SCTP socket class as part of this patch so that we can at least distinguish between SCTP sockets and raw IP sockets in policy in the interim. The other question is whether you agreed with Guido's suggested change for readability/maintainability or prefer the current style. I have no strong opinion either way. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
