Steve Grubb wrote: > On Tuesday 29 August 2006 11:29, Rosalie Hiebel wrote: > >>Are there plans to implement xinetd support for labeled networking >>for all services (and not just external tcp nowait) ? > > No. It cannot be done in some cases. > > For udp services the label travels with the packet. So, xinetd would have to > read the datagram to get this information. This behavior would not follow > what it does for non-labeled networking code, so it would probably break > things. > > For tcp-wait services, xinetd does not call accept. Therefore it cannot get > at > any information for the connection. The application will have to do this and > call execcon. > > For internal services, they are all troubleshooting or can be replaced by an > external shell script that does the same thing with minimal effort (echo, > discard, date, etc). The problem here is that not all internal services > fork - which means that xinetd itself would be calling execcon. I don't think > we want that either. >
Since the original question wasn't entirely clear to me, perhaps it is worth clarifying things a bit. Regardless of what xinetd does when it deals with the incoming connections (SteveG's comments above), the network traffic coming into and out of a system configured to use labeled networking will be labeled. How the packets are labeled depends on your configuration and is independent of xinetd. See the NetLabel and XFRM discussions for more information. -- paul moore linux security @ hp -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
