Venkat Yekkirala wrote: >>>Fine with me, unless Venkat has an immediate use case for such >>>transitions in the flow_in case (but I think this is mostly >> >>my fault for >> >>>suggesting transitions a while ago). > > I don't have a use case currently. > >>Unless I'm confusing something, there still may be a need for >>transitions >>if we want to support both IPsec and NetLabel labeling on the same >>connection. >>If we don't support transitions and allow both labeling methods on the >>same connection we'll need to decide how to handle resolving the two - >>maybe use a transition is this one case? > > > Since CIPSO doesn't do full contexts currently, it would be just a > matter of an additional flow_in check. The base sid used here would > be the current secmark at that point (which will be the xfrm sid > if xfrm was used). So, no transitions needed here currently.
That's fine by me, I just wanted to make sure something like that would be acceptable. So, in summary, we would do the normal flow_in checks for both IPsec and NetLabel and then set the secmark using the IPsec label as the "base sid" for the NetLabel's generated SID? -- paul moore linux security @ hp - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html