[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[redhat-lspp] Creating a context/SID for MLS CIPSO packets



Traditional CIPSO only sends the MLS label along with the packet. This is fine for traditional MLS systems but causes problems here in TE land. The problem being, how does one create a full SELinux context/SID with only the MLS label?

From my limited knowledge of the security server, it looks like the best way is to create a new entry in the policy's default context field, policydb->ocontexts[OCON_NETLBL], with a default context minus the MLS label. Whenever a MLS CIPSO packet arrives I could generate a context using the default context and the MLS label and do a sidtab_search(). If the results did not yield an existing SID I would insert the new context into the SID table.

So SELinux gurus I ask you, is that a reasonable approach? Or am I missing something here and way off base?

--
paul moore
linux security @ hp


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]