On Mon, Dec 5, 2016 at 9:11 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > On 12/02/2016 05:39 PM, Paul Moore wrote: >> On Fri, Dec 2, 2016 at 12:40 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: >>> I suppose a further question on this patch is whether it should also add >>> new classes for ICMP, IGMP, and SCTP sockets (any others that are >>> presently mapped to SECCLASS_RAWIP_SOCKET that ought to be given their >>> own class?). In the SCTP case, this would at least allow them to be >>> distinguished, but we would still lack the full support added by the >>> separate SCTP patchset. >> >> For the record, I'm okay with this patch and I agree that the >> compatibility concerns aren't likely to be significant. However, I >> would like to continue the discussion on the idea to include classes >> for ICMP, IGMP, and SCTP. I haven't looked into ICMP or IGMP, but >> considering the changes necessary for SCTP I think it is okay to leave >> SCTP out for now and add it in with proper SCTP support (and its own >> policy capability). >> >> Stephen, I'm assuming you feel the same since you left that out of the patch? > > It depends on whether we think full SCTP support will be merged sooner > or later. If there is the possibility that full SCTP support will not > be merged for a while, then I think I'd rather just add a SCTP socket > class as part of this patch so that we can at least distinguish between > SCTP sockets and raw IP sockets in policy in the interim. As I sit here I would like to think that we'll get proper SCTP support merged sooner rather than later, but well ... things happen. I guess there is no harm in adding the SCTP socket class now just in case. > The other question is whether you agreed with Guido's suggested change > for readability/maintainability or prefer the current style. I have no > strong opinion either way. I really don't care too much either way which is why I didn't comment on it. I suppose I have a slight preference for Guido's suggested style, but I wouldn't respin the patch just for that. However, if you are going to add SCTP (which I'm guessing we should) go ahead and use Guido's style. -- paul moore www.paul-moore.com _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
