> From: Venkat Yekkirala [mailto:[EMAIL PROTECTED]
>
> > I pulled in the lspp respin kernels and am checking the labeling
> > behavior now so I should have a full response later, however I ran
> > into one unexpected thing immediately on bootup with the new kernel:
>
> Just FYI- The labeled-ip
Venkat Yekkirala wrote:
This patchset is against davem's net-2.6.git. Please apply to 2.6.19.
The following are the changes since the previous post of this patchset:
1. Separate BUG_ON usage per Eric's suggestion.
2. Replace security_sid_compare with a simple sid compare check per
a suggest
On Fri, 2006-09-29 at 08:59 -0400, Stephen Smalley wrote:
> On Thu, 2006-09-28 at 23:52 -0400, Joshua Brindle wrote:
> > Venkat Yekkirala wrote:
> > >
> > > +
> > > + err = avc_has_perm(xfrm_sid, skb->secmark, SECCLASS_PACKET,
> > > +
Venkat Yekkirala wrote:
+
+ err = avc_has_perm(xfrm_sid, skb->secmark, SECCLASS_PACKET,
+ PACKET__FLOW_IN, NULL);
+ if (err)
+ goto out;
+
+ if (xfrm_sid) {
+ err = security_transition_sid(xfrm_sid, skb->secmark,
James Morris wrote:
For example, SELinux will now be able to utilize connection tracking, so
that only packets which are known to be valid for a specific connection
will be allowed to reach the subject.
Sample iptables rules for labeling packets are at:
http://people.redhat.com/jmorris/selinux
