Hello. On Wed, 07/12/2016 at 08.25 -0500, Stephen Smalley wrote: > On 12/06/2016 07:13 PM, Paul Moore wrote:
[...] > > You mentioned IGMP previously, if we have a class for ICMP, it > > seems > > reasonable to have one for IGMP, don't you think? Although this > > does > > spiral a bit if we consider all the IPPROTO* protocols. > > I thought about it, but the kernel does not provide IGMP sockets per > se, > unlike ICMP or SCTP sockets (i.e. ipv4/af_inet.c:inetsw_array[] > defines > an entry for SOCK_DGRAM, IPPROTO_ICMP and sctp/protocol.c defines and > registers inet_protosw entries for SOCK_STREAM, IPPROTO_SCTP and > SOCK_SEQPACKET, IPPROTO_SCTP; there is no equivalent for IGMP unless > I > missed it). So IGMP sockets are just raw IP sockets with a > particular > protocol value; they have no stream, seqpacket, or dgram semantics, > and > it is unclear it is worthwhile to distinguish them in policy. I suppose distinguishing IGMP packets brings little benefit in terms of security. Regards, Guido _______________________________________________ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
