> From: Stephen Smalley > On 10/31/2012 01:13 PM, qsw...@tresys.com wrote: > > From: Quentin Swain <qsw...@tresys.com> > > > > +<context> # The contexts must be valid SElinux context or the Kernel > > +will not create the # labeled SPD policies. SAs created for traffic > > +matching the policies will # contain the label of the matching SPD > > +policy. If there are no matching # entries then the SPD entry will > > +default to u:object_r:unlabeled:s0 context # Lines beginning with # > > +are comments # defined in ipsec.h # IPSEC_DIR_INBOUND = 1 # > > +IPSEC_DIR_OUTBOUND = 2 # Sample policies: > > +#1 10.1.12.212 u:object_r:lo_packet:s0 > > +#2 10.1.12.212 u:object_r:lo_packet:s0 > > Use "in" and "out" rather than "1" and "2" in the configuration > language. You are only supporting one SA per remote address? Not > taking into account the local process at all? >
For this use case an app will either have access or not, there is no local process when you are establishing the connection (this will always be done by the VPN client, not SPD initiated automatic connections like a regular Linux distro). One reported feature of 4.2 is automatic VPN connections so this may change. -- This message was distributed to subscribers of the seandroid-list mailing list. If you no longer wish to subscribe, send mail to majord...@tycho.nsa.gov with the words "unsubscribe seandroid-list" without quotes as the message.
