James Morris wrote:
> On Wed, 8 Nov 2006, Paul Moore wrote:
> 
>>James Morris wrote:
>>
>>>On Wed, 8 Nov 2006, Paul Moore wrote:
>>>
>>>>1. Functionality is available right now, no additional kernel changes needed
>>>>2. No special handling for localhost, I tend to like the idea of having
>>>>consistent behavior for all addresses/interfaces
>>>
>>>I don't agree.  SO_PEERSEC should always just work for loopback, just like 
>>>with Unix sockets.
>>
>>My main concern is that we would have "special" behavior for a single IP 
>>address
>>   and that this behavior wouldn't be subject to the same labeled networking
>>configuration/management methods as the rest of the address space.
>  
> It's a very special case, and loopack networking has lots of special case 
> handling because of this.  It's nearly zero cost to have this work, and 
> then you get full SELinux control over local IP communications.

It sounds like you have an idea of how you would like to see this implemented,
can you give me a rough outline?  Is this the partitioned SECMARK field you
talked about earlier?

I'm asking because the only localhost SO_PEERSEC mechanism that I have seen that
didn't require explicit packet labeling was the secid approach which I think we
gave up on ...

-- 
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to