On Jun 16, 2006, at 11:03 AM, Venkat Yekkirala wrote:
I am not sure that this semantics works right for the TE case where a server may receive requests from clients of different types.The server may receive requests from clients of different types (as taken from the SAs the requests used) as long as the server type has the association { recvfrom } access to the client (SA) type per SELinux policy.
In selinux_xfrm_policy_lookup, we check that the fl_sid has access to the xfrm policy's sid before using that policy.
On input, I take this to mean that we must have granted the type of the SA access to the policy, and the case of the server receiving a packet from a client these would be the same (client's type).
At least on the first input via this flow. Then, it looks like the flow cache will hit based on your changes and we will be OK.
Regards, Trent. ---------------------------------------------- Trent Jaeger, Associate Professor Pennsylvania State University, CSE Dept 346A IST Bldg, University Park, PA 16802 Email: [EMAIL PROTECTED] Ph: (814) 865-1042, Fax: (814) 865-3176 -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
