RE: [PATCH 0/7] labeled ipsec policy changes

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Venkat Yekkirala" <vyekkirala@TrustedCS.com>
To: "'Joy Latten'" <latten@austin.ibm.com>, <selinux@tycho.nsa.gov>
Cc: <cpebenito@tresys.com>
Subject: RE: [PATCH 0/7] labeled ipsec policy changes
Date: Fri, 15 Dec 2006 10:25:37 -0600	[thread overview]
Message-ID: <001001c72065$a7cc0560$cc0a010a@tcssec.com> (raw)
In-Reply-To: <200612150134.kBF1Y9qk002698@faith.austin.ibm.com>

Perhaps this can be simplified into the following (aside
from policy for setkey, racoon and association.setcontext):

1. Ability for a site to determine what domains can engage
   in UNLABELED IPSec communication. This can be ALL domains
   based on a boolean setting?

	allow domain unlabeled_t:association { sendto recvfrom };

2. Perhaps we can have ALL domains that can talk to the network
   be able to use labeled-ipsec communication by default?

	allow dom_with_net_access labeled_ipsec_t:association { polmatch };
	allow dom_with_net_access self:association { sendto };

3. The only remaining issue would then be deciding what domains
   can recv from what. This can perhaps be wrapped in an interface?

	allow local_dom1 peer_dom1:association { recvfrom }; 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

next prev parent reply	other threads:[~2006-12-15 16:25 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-12-15  1:34 [PATCH 0/7] labeled ipsec policy changes Joy Latten
2006-12-15 16:25 ` Venkat Yekkirala [this message]
2006-12-15 17:53   ` Joy Latten

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='001001c72065$a7cc0560$cc0a010a@tcssec.com' \
    --to=vyekkirala@trustedcs.com \
    --cc=cpebenito@tresys.com \
    --cc=latten@austin.ibm.com \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.