> -----Original Message----- > From: James Morris [mailto:[EMAIL PROTECTED] > Sent: Monday, October 09, 2006 12:02 PM > To: Venkat Yekkirala > Cc: [EMAIL PROTECTED]; [email protected]; [EMAIL PROTECTED]; > [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: RE: [PATCH 0/1] selinux: secid reconciliation fixes V01 > > > On Mon, 9 Oct 2006, Venkat Yekkirala wrote: > > > I did in fact test inside SELinux, and that's how I found > > out these were igmp packets. These were getting labeled implicitly > > with unlabeled_t, and now after labeling thse distinctly, > policy won't > > have to grant access to the network to unlabeled packets. > An alternative > > is to not flow control any traffic that doesn't have a sock > associated > > with it. > > This might be worth considering as an intermediate step, and > multicast > support can be added later. Just need to make sure it doesn't break > anything else.
A problem with NOT flow-controlling traffic with no associated sock is that this (no-flow-control) would also then apply to the forwarded traffic. I would rather just see what breaks (I seriously doubt it) in beta2 and fix it. -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
