Missed this one (got caught at the mail filters I guess)... > I wonder if this would be more useful if the entire SELinux context was > taken into account and not just the MLS label? Looking (somewhat > quickly) at the patch you just posted I don't think it would require too > much extra work to make it happen, it looks like you have already added > the full SELinux context to the IPsec selector which I suspect is the > bulk of the kernel-side work. However, I imagine this would require a > bit more work in racoon/IKE side of things ...
The entire SELinux context is indeed taken into account all the way into IKE. -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
