> The NetLabel patch allows administrators to assign specific a CIPSO > DOI/configuration to each LSM "domain". Blindly using the > CIPSO tag that the > remote host sends could violate the administrator's NetLabel > configuration. > > The current patch reads the CIPSO tag off the child socket, > translating the > tag according to the CIPSO DOI configuration to arrive at the > correct/desired > LSM security attributes. These LSM security attributes and > the "domain" are > then used to set the NetLabel on the socket. In the case > where everyone is > well behaved this should have no effect on the socket IP > options and the > packets sent across the wire. However, in the case of a > not-nice remote host > the outgoing CIPSO tag may change to match the administrators desired > settings.
I wonder if waiting till accept isn't too late though. Perhaps this should be done when the openreq is created so the syn-ack and such will go out with the right tag? - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
