Serge E. Hallyn wrote: > Quoting Paul Moore ([EMAIL PROTECTED]): > >>For those of you using the latest versions of the netlabel_tools you can >>specify specific per-domain CIPSO configurations with the following command >>line (for older versions replace "map" with "mgmt"): >> >> # netlabelctl map add domain:<domain> protocol:cipsov4,<doi> >> >>An example for the "unlabeled_t" domain using CIPSO doi #8 would be: >> >> # netlabelctl map add domain:unlabeled_t protocol:cipsov4,8 > > > Ok, cool, that is in fact how we thought <doi> would be used. However, > looking at the current code, this shouldn't work, as pointed out by > KaiGai (thanks KaiGai). If you look at > security/selinux/xfrm.c:selinux_authorizable_ctx(), > it seems to enforce that doi == XFRM_SC_DOI_LSM. > > Should that check be removed, or am I misremembering what that fn is > supposed to do?
Actually, I think you are confusing IPsec/IKE DOIs with CIPSO DOIs (or I'm confused <g>). A CIPSO DOI is not in any way related to an IPsec DOI, all CIPSO DOI processing should be handled in the NetLabel code; for more information on CIPSO DOI processing look at net/ipv4/cipso_ipv4.c in David Miller's net-2.6.19 git tree. Does this make sense? -- paul moore linux security @ hp -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
