> > > I'm not very sure how users will use the SPD labeling. I > suspect that > > > they will be labeled with probably the other side's > domain type. For > > > example, if httpd_t and mozilla_t are connected, the SPD would be > > > mozilla_t on the http machine and httpd_t on the mozilla machine. > > > > > > > In the simplest case, you would just have a generic > "labeled_ipsec_t" Type > > that would be specified for all the spd rules that pertain > to labeled-ipsec. > > All the different domains that need to use labeled-ipsec > would then polmatch > > to labeled_ipsec_t. > > > > The SAs will always and automatically be using the
s/always/always (when the spd rule has a context associate with it)/ > originating domain Type. > > So, the SA from the client to server would be auto-labeled > mozilla_t, > > rss_aggregator_t, etc. (on both ends), and the SA from the > server to client > > would be auto-labeled httpd_t (again on both ends). > > Ok, so then I will go with my original idea of a type ipsec_spd_t and > create an interface that allows sysadmins to create selinux policy for > "polmatching" ipsec SAs to the ipsec policy type, > ipsec_spd_t. Thanks!! > > Joy > -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
