On Mon, 2006-05-08 at 17:29 -0400, James Morris wrote:
On Mon, 8 May 2006, Karl MacMillan wrote:
Something like CONNMARK seems preferable to me (perhaps even allowing
type_transition rules to give the related packets a unique type). This
makes the labeling reflect the real security
On Tue, 9 May 2006, Karl MacMillan wrote:
those connection, but my concern is that connection could, through error
or exploit, be passed to another domain that should not receive packets
from that type of connection (see below).
Connection passing or inheritence should be subject to kernel
On Tue, 2006-05-09 at 12:40 -0400, James Morris wrote:
On Tue, 9 May 2006, Karl MacMillan wrote:
those connection, but my concern is that connection could, through error
or exploit, be passed to another domain that should not receive packets
from that type of connection (see below).
On Tue, 2006-05-09 at 12:40 -0400, James Morris wrote:
On Tue, 9 May 2006, Karl MacMillan wrote:
those connection, but my concern is that connection could, through error
or exploit, be passed to another domain that should not receive packets
from that type of connection (see below).
On Tue, 9 May 2006, Karl MacMillan wrote:
Ok - I obviously don't have the expertise to judge how ugly the code to
do this is. It becomes a question of whether the feature is compelling
enough.
Atcually, I think there may be a good way to do this, will investigate.
- James
--
James Morris
On Sun, 2006-05-07 at 13:43 -0400, James Morris wrote:
On Sun, 7 May 2006, Joshua Brindle wrote:
It looks like you are labeling all packets on an established connection as
tracked_packet_t. What is the rationale for not labeling all ftp traffic as
ftpd_packet_t? Granted that its very
On Mon, 8 May 2006, Karl MacMillan wrote:
Something like CONNMARK seems preferable to me (perhaps even allowing
type_transition rules to give the related packets a unique type). This
makes the labeling reflect the real security property of the packets.
That's arguable. The real security
The following patchsets implement a new scheme for adding security
markings to packets via iptables, as well as changes to SELinux to use
these markings for security policy enforcement.
Along with these patches, assorted files including policy examples and
patches for SELinux userland may be
James Morris wrote:
For example, SELinux will now be able to utilize connection tracking, so
that only packets which are known to be valid for a specific connection
will be allowed to reach the subject.
Sample iptables rules for labeling packets are at:
(note: an old, incorrect address for netfilter-devel was used in the
initial mail, please update to the correct one as above if replying to
this thread).
--
James Morris
[EMAIL PROTECTED]
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL
10 matches
Mail list logo
