James Morris wrote: > On Wed, 8 Nov 2006, Paul Moore wrote: > >>James Morris wrote: >> >>>On Wed, 8 Nov 2006, Paul Moore wrote: >>> >>>>1. Functionality is available right now, no additional kernel changes needed >>>>2. No special handling for localhost, I tend to like the idea of having >>>>consistent behavior for all addresses/interfaces >>> >>>I don't agree. SO_PEERSEC should always just work for loopback, just like >>>with Unix sockets. >> >>My main concern is that we would have "special" behavior for a single IP >>address >> and that this behavior wouldn't be subject to the same labeled networking >>configuration/management methods as the rest of the address space. > > It's a very special case, and loopack networking has lots of special case > handling because of this. It's nearly zero cost to have this work, and > then you get full SELinux control over local IP communications.
It sounds like you have an idea of how you would like to see this implemented, can you give me a rough outline? Is this the partitioned SECMARK field you talked about earlier? I'm asking because the only localhost SO_PEERSEC mechanism that I have seen that didn't require explicit packet labeling was the secid approach which I think we gave up on ... -- paul moore linux security @ hp - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
