[redhat-lspp] Re: [RFC][PATCH] NetLabel/CIPSO prototype patch (#2)
Paul Moore
paul.moore at hp.com
Thu May 4 17:10:49 UTC 2006
Stephen Smalley wrote:
>>Basically I was trying to be a bit more informative in case somebody
>>ever wants to know the different between a failed IPsec authorization,
>>-EPERM, and a packet that didn't even pass though IPsec, -EIDRM. At
>>least that is how I understand the code to work, please correct me if
>>I'm wrong. I figured it was cheap to provide more information so why
>>not do it?
>
> Current code falls through to the unlabeled check in either case. The
> first case isn't really a failed authorization; it is just the lack of a
> SELinux context for the association, in which case it is treated in the
> same manner as an unprotected packet, i.e. check for unlabeled status.
> EIDRM is a System V IPC-specific error, right?
>
> In any event, if you aren't going to make use of the distinction
> yourself, then I'd not make it in the code. It can always be added
> later if a caller does need the distinction.
>
Fair enough.
--
paul moore
linux security @ hp
More information about the redhat-lspp
mailing list