On Tuesday 18 December 2007 8:26:35 am Stephen Smalley wrote: > On Mon, 2007-12-17 at 15:56 -0500, Paul Moore wrote: > > On Monday 17 December 2007 3:35:28 pm Stephen Smalley wrote: > > > On Fri, 2007-12-14 at 16:50 -0500, Paul Moore wrote: > > > > This patch adds a SELinux IP address/node SID caching mechanism > > > > similar to the sel_netif_*() functions. The node SID queries in the > > > > SELinux hooks files are also modified to take advantage of this new > > > > functionality. In addition, remove the address length information > > > > from the sk_buff parsing routines as it is redundant since we already > > > > have the address family. > > > > > > This is very nice - we also need the same kind of cache for port SIDs. > > > > Thanks. Any problem if we wait until 2.6.26 for a port SID cache? It > > shouldn't be any worse than it is now (the new code is not concerned with > > ports) and the current patchset is already large enough that it keeps me > > up at night thinking about all the places it could go wrong ... > > Yes, that's fine - just a note to file away for the future. We'll still > want the cache eventually though since the name_bind and name_connect > checks are based on the port SIDs and will remain even when the compat > checks are obsoleted.
All righty, since neither you or James are in a hurry for this I'll "file it away" for 2.6.26. Thanks. -- paul moore linux security @ hp - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
