On Wed, 2006-11-29 at 14:42 -0600, Venkat Yekkirala wrote: > > I'm not very sure how users will use the SPD labeling. I suspect that > > they will be labeled with probably the other side's domain type. For > > example, if httpd_t and mozilla_t are connected, the SPD would be > > mozilla_t on the http machine and httpd_t on the mozilla machine. > > > > In the simplest case, you would just have a generic "labeled_ipsec_t" Type > that would be specified for all the spd rules that pertain to labeled-ipsec. > All the different domains that need to use labeled-ipsec would then polmatch > to labeled_ipsec_t. > > The SAs will always and automatically be using the originating domain Type. > So, the SA from the client to server would be auto-labeled mozilla_t, > rss_aggregator_t, etc. (on both ends), and the SA from the server to client > would be auto-labeled httpd_t (again on both ends).
Ok, so then I will go with my original idea of a type ipsec_spd_t and create an interface that allows sysadmins to create selinux policy for "polmatching" ipsec SAs to the ipsec policy type, ipsec_spd_t. Thanks!! Joy -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
