Stephen Smalley wrote:
>>Basically I was trying to be a bit more informative in case somebody
ever wants to know the different between a failed IPsec authorization,
-EPERM, and a packet that didn't even pass though IPsec, -EIDRM. At
least that is how I understand the code to work, please correct me if
I'm wrong. I figured it was cheap to provide more information so why
not do it?
Current code falls through to the unlabeled check in either case. The
first case isn't really a failed authorization; it is just the lack of a
SELinux context for the association, in which case it is treated in the
same manner as an unprotected packet, i.e. check for unlabeled status.
EIDRM is a System V IPC-specific error, right?
In any event, if you aren't going to make use of the distinction
yourself, then I'd not make it in the code. It can always be added
later if a caller does need the distinction.
Fair enough.
--
paul moore
linux security @ hp
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
