> My main concern with these patches is that moving the > NetLabel check out > of selinux_socket_sock_rcv_skb() and into > selinux_skb_policy_check() (as > it is currently written) would force us to compare a packet's NetLabel > with either the IPsec label or the secmark label
Yes you would do these checks (while using a netlabel based off of the secmark at that point) to enforce flow control and when they succeed, you will copy netlabel into secmark. > and not the socket's > label. The socket Vs. secmark check that happens later in rcv_skb will in fact be looking at the cipso label that is by then a part of the secmark context. > The ability to make access decisions based on the process > consuming the data and the data itself it one of the nicer > qualities of > NetLabel in my opinion. This nicer quality ends up being preserved as explained above :) We just need to get out of the mindset of viewing netlabel separately once we are past the reconciliation point. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
