On Jun 16, 2006, at 4:31 PM, Venkat Yekkirala wrote:
In selinux_xfrm_policy_lookup, we check that the fl_sid has
access to
the xfrm policy's sid before using that policy.
On input, I take this to mean that we must have granted the type of
the SA access to the policy,
That is correct.
and the case of the server receiving a
packet from a client these would be the same (client's type).
Probably, but since we have the SA Type delinked from the
xfrm_policy Type
it's all entirely upto the policy.
I guess that what I envisioned is that we would deduce a type for the
socket (even if there isn't a specific one, we could infer for some
such as an ICMP reply), use the flow sid to limit the choice of
appropriate xfrm_policy types (we hadn't added this, but now you
have), and then determine access of the socket type to the policy
type (as limited by choices relevant to the flow).
My understanding of the basis for the current
selinux_xfrm_policy_lookup is that you do not believe that we can
deduce the socket's type effectively for several cases (particularly
on input), so we need to check for the socket's access in rcv_skb and
use the flow sid in lookup. I am not 100% convinced that the
deduction is not possible (although I only looked had problems on the
output). Is there a convincing argument?
Regards,
Trent.
----------------------------------------------
Trent Jaeger, Associate Professor
Pennsylvania State University, CSE Dept
346A IST Bldg, University Park, PA 16802
Email: [EMAIL PROTECTED]
Ph: (814) 865-1042, Fax: (814) 865-3176
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
