On Jun 20, 2006, at 6:50 PM, Venkat Yekkirala wrote:
I have a question: if the sock type does not match the policy type
(xfrm_lookup hook on output step (2)), can we send the packet?
Only if the packet can send to SECINITSID_UNLABELED as checked in
selinux_xfrm_postroute_last() which would be the 5th step below.
It seems on output the socket and policy types must match,
More accurately, the flow (which derives from the socket in the
locally
generated case)
and the policy types must "polmatch", yes.
OK. This semantics is different for types where we checked that the
socket (or flow) had access to send using the policy at lookup.
It seems like semantics of the flow sid is different between output
and input. On output, it's based on the socket and on input it's
based on the sa. The flow/sa analogy makes sense to me, but the
socket less so (multiple sockets can use the same flow).
I am not sure that the approach in lookup should be symmetric in that
case.
Regards,
Trent.
----------------------------------------------
Trent Jaeger, Associate Professor
Pennsylvania State University, CSE Dept
346A IST Bldg, University Park, PA 16802
Email: [EMAIL PROTECTED]
Ph: (814) 865-1042, Fax: (814) 865-3176
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
