[redhat-lspp] RE: [PATCH 0/1] selinux: secid reconciliation fixes V01
James Morris
jmorris at namei.org
Mon Oct 9 14:24:35 UTC 2006
On Mon, 9 Oct 2006, Venkat Yekkirala wrote:
> > > 3. Label igmp traffic with the igmp_packet initial context.
> >
> > Why is IGMP being handled separately? How many other
> > protocols will need
> > their own specific hooks?
>
> igmp seems like the only odd ball out in that it sends packets
> outside of a socket (even a kernel sock) context; which also
> explains why there's a separate init sid defined/deprecated for
> this in the selinux policy.
I don't think a protocol-specific hook is going to be acceptable. Can you
test inside SELinux to determine that it's IGMP?
- James
--
James Morris
<jmorris at namei.org>
More information about the redhat-lspp
mailing list