From: "Török Edwin" <edwin@gurde.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Joshua Brindle <jbrindle@tresys.com>,
"Christopher J. PeBenito" <cpebenito@tresys.com>,
selinux@tycho.nsa.gov, fireflier-devel@lists.sourceforge.net,
marius@cs.utt.ro
Subject: Re: Labeling only policy and problems with booleans
Date: Wed, 26 Apr 2006 23:08:16 +0300 [thread overview]
Message-ID: <200604262308.16575.edwin@gurde.com> (raw)
In-Reply-To: <1146079604.28745.183.camel@moss-spartans.epoch.ncsc.mil>
On Wednesday 26 April 2006 22:26, Stephen Smalley wrote:
>
> sediff of these two policies shows a _lot_ of differences, including 107
> added types in the "bad" policy. Are you sure they are identical except
> for linking unconfined? What is in that module (source)?
Hmm, that is *bad*. The module source is in the refpolicy.tgz.
I linked unconfined _and_ all its dependencies (which is quite a lot, from
memory:
init,udev,userdomain,locallogin,libraries,storage,miscfiles,authlogin,...)
>
> I do see an allow unconfined_t security_t:security load_policy under a
> different boolean in the "bad" policy; looks like a boolean mapping
> problem at link time. We did see those when the optionals-in-base
> support was first merged, so the Debian checkpolicy might have an issue
> there, but that should have been resolved in 1.30.3 or newer, built
> against libsepol 1.12.3 or newer.
I'll try upgrading libsepol in fc5, and I'll also try to build
checkpolicy+libsepol manually from the latest sources. I'll let you know
(possibbly tomorrow) if this makes a difference.
btw, wouldn't it be nice for checkpolicy to have a --version option, currently
I have to use apt-cache policy for debian, rpm -q for redhat, etc. to find
out which version I have.
>
> > kernel messages: http://edwintorok.googlepages.com/messages
> > full build directory: http://edwintorok.googlepages.com/refpolicy.tgz
Upload size limit :(, try this one:
http://projects.emerge.upt.ro/Kernel-Dev/browser/fireflier/refpolicy.tgz?format=raw
>
> This one returned a 404 error.
>
> > Let me know if anything else is needed to trace the problem.
> >
> > There is another thing that worries me.
> > I was able to do mknod xx c 1 2 creating an equivalent of /dev/kmem, and
> > it wasn't labeled memory_device_t, it was labeled unlabeled_t.
> > So I guess giving access to unlabeled_t files is very dangerous (as you
> > say below). I assume one could exploit this by writing a program that
> > creates a kmem equivalent, and then he can do anything he wishes,
> > including replacing policy, loading another kernel module, patch
> > syscalls...., am I right?
>
> Not entirely. Keep in mind that opening the memory devices requires
> CAP_SYS_RAWIO, so you also need the SELinux sys_rawio permission in the
> capability class to make use of such a device node even if you can
> create one. However, ensuring a consistent label on devices
> irrespective of filesystem node used to access them would be nice; there
> has been some consideration of labeling the internal objects rather than
> just the filesystem nodes and applying access control at that layer to
> ensure consistent control.
That would be nice. Then device under /dev would automatically get the correct
label? It would also eliminate a few bootstrapping problems (currently I have
to reboot using init=/bin/sh, relabel /dev, and then reboot&relabel after
udev is up).
> In the meantime, be careful about who you
> allow to create device nodes and who you allow sys_rawio in your policy.
Ok
>
>
> > - devices in /dev (handled by udev policy?)
> > - selinux policy loading programs (loadpolicy, semodule)
> > But I do want to be able to label individual files (when fireflier
> > generates policies for them).
> >
> > If I don't run setfiles, and I run restorecon only for the: selinux
> > policy loading programs, and fireflier, will that be safe? (will an
> > unlabeled program be able to gain access to another domain besides
> > unconfined_t) Also, should I consider doing the policy loading myself in
> > fireflier (via libselinux,libsemanage...) instead of relying on an
> > external program?
>
> Normative pattern is to install policy modules via semodule, which calls
> libsemanage to perform the actual installation and loading of policy.
> libsemanage uses the external programs as appropriate. Then you just
> have to invoke restorecon as appropriate to label the desired files.
> Using the external program is preferred, and may be enforced via policy
> under some policies.
I'll use semodule then. Would it make sense to add file integrity check to
fireflier (checksum/secure hash/digital signature)? (for checking if semodule
is actually what it should be)
>
> > Ok. But let me clarify, by unconfined_t I don't mean unconfined_t from
> > the targeted policy, since that has policy loading allowed.
> > I want to allow unconfined_t everything except:
> > - loading policy
> > - changing labels
> > - kernel module loading (boolean controlled, if I get booleans working)
> > - changing iptables rules
> > - writing to raw memory
> > Fireflier doesn't aim to be a full security solution, I just want it to
> > create proper labels for skfilter to use, and as such there should be no
> > way for an unconfined_t process to change labels/load policy.
>
> I'm not certain how useful this is, as there are obvious bypasses here
> unless you start dealing with all of the dependencies for the associated
> programs and their data, e.g. can unconfined_t still update glibc? At
> which point unconfined_t becomes a misnomer and you start approximating
> the strict policy more and more.
Like I said, fireflier is going to deal with the networking part only. I just
wanted to add some simple protection to prevent simple bypasses. By simple I
mean those that can be done instantly: if somebody loads a policy it has
bypassed fireflier. OTOH if he wouldn't have had fireflier installed,
somebody could have just flushed the iptables rules.
So maybe I'll focus on the networking part, and label transition part only,
and _not_ think of N possible ways to punch holes in the system, if somebody
really wants to.
So the only kind of protection that still makes sense, and would be easy to do
(I hope) is to prevent programs from switching contexts(AFAIK there are some
libselinux functions, that can be called to do that switch).
>
> > I intend to use neverallow to catch policy generation bugs, and ...policy
> > creating logic errors. Also will it stop somebody from loading a policy
> > module that overrides my restrictions?
>
> semodule/libsemanage should end up rejecting a module if it violates a
> neverallow rule in the base or any other module, so in one sense, yes.
> But keep in mind that if the person loading the policy module has the
> ability to manipulate the module store, then they can always
> remove/replace the module that has those assertions, so you have to
> ensure non-bypassability there.
I didn't mean to protect against malicious users with neverallow. I only
wanted to give the user/sysadmin a warning, that he breaks some rules he has
previously set: so that he doesn't "by accident" invalidate fireflier's
rules.
> Ultimately, libsemanage will interface
> to a policy management daemon that will enforce such restriction more
> strongly, with the policy ensuring that the daemon can't be bypassed to
> directly manipulate the store.
>
> > How can I create a type that is structurally equivalent? (read all rules
> > associated with that type from the binary policy, and generate
> > allow/transition/etc. rules based on them?)
>
> Usually we do this by defining interfaces/macros in the policy itself,
> and then instantiating multiple types from it. Rather than trying to
> automatically infer it.
Right, but in that case you are writing the policy, you are designing the
policy. Considering the scenario I gave earlier, if the user/admin had known
that he needs separate rules for those 2 programs, he wouldn't have put them
in the same domain. Maybe it is just too complicated to handle this
automatically, and fireflier should do just this:
- let the user know what is the domain of the program(s) accessing that
socket
- let the user decide if he wants _all_ the programs in that domain to give
access, and if not (here comes the change):
- let fireflier create a new type, that the user will(could) customize
later
- use a predefined domain (already in policy)
- let the user modify the policy that only those programs remain in the
same domain, that need same access rights
When fireflier creates a type, it would be based on unconfined_t by default.
After all, if the user has Selinux enabled on his system:
- he either knows how to write selinux policies, so he can customize the .te
generated by fireflier
, or he uses a distro where the policy has already been written (properly), in
which case he should choose from a list of predefined domains only
Edwin
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2006-04-26 20:08 UTC|newest]
Thread overview: 272+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-04-02 9:40 [RFC] packet/socket owner match (fireflier) using skfilter Török Edwin
2006-04-03 15:18 ` James Morris
2006-04-03 15:39 ` Török Edwin
2006-04-05 15:06 ` Stephen Smalley
2006-04-07 17:34 ` Török Edwin
2006-04-07 18:24 ` [RFC][PATCH 0/7] fireflier LSM for labeling sockets based on its creator (owner) Török Edwin
2006-04-07 18:27 ` [RFC][PATCH 1/7] " Török Edwin
2006-04-12 19:11 ` Stephen Smalley
2006-04-14 20:02 ` Török Edwin
2006-04-07 18:38 ` [RFC][PATCH 2/7] implementation of LSM hooks Török Edwin
2006-04-12 17:42 ` Stephen Smalley
2006-04-14 20:01 ` [RESEND][RFC][PATCH " Török Edwin
2006-04-17 16:06 ` Stephen Smalley
2006-04-17 16:23 ` Christoph Hellwig
2006-04-17 17:03 ` Stephen Smalley
2006-04-17 17:08 ` Arjan van de Ven
2006-04-17 17:33 ` Christoph Hellwig
2006-04-17 18:02 ` Casey Schaufler
2006-04-17 18:15 ` Stephen Smalley
2006-04-17 19:26 ` Serge E. Hallyn
2006-04-17 19:31 ` James Morris
2006-04-17 19:47 ` Serge E. Hallyn
2006-04-17 20:02 ` Stephen Smalley
2006-04-19 14:52 ` David Safford
2006-04-19 15:26 ` Stephen Smalley
2006-04-19 17:57 ` Emily Ratliff
2006-04-19 18:33 ` Stephen Smalley
2006-04-20 12:27 ` Stephen Smalley
2006-04-19 15:47 ` Stephen Smalley
2006-04-17 22:15 ` Gerrit Huizenga
2006-04-17 22:48 ` Alan Cox
2006-04-17 22:58 ` James Morris
2006-04-18 2:00 ` Crispin Cowan
2006-04-17 22:55 ` Christoph Hellwig
2006-04-18 1:44 ` Gerrit Huizenga
2006-04-18 11:58 ` Christoph Hellwig
2006-04-18 16:50 ` Gerrit Huizenga
2006-04-18 17:27 ` Karl MacMillan
2006-04-18 19:31 ` Crispin Cowan
2006-04-18 19:50 ` Arjan van de Ven
2006-04-18 20:13 ` [Fireflier-devel] " Török Edwin
2006-04-18 20:31 ` Alan Cox
2006-04-18 19:33 ` [Fireflier-devel] Re: [RESEND][RFC][PATCH 2/7] implementationof " David Lang
2006-04-18 20:42 ` [Fireflier-devel] Re: [RESEND][RFC][PATCH 2/7] implementation of " Serge E. Hallyn
2006-04-18 20:23 ` Serge E. Hallyn
2006-04-19 18:32 ` Crispin Cowan
2006-04-19 18:48 ` Arjan van de Ven
2006-04-19 19:50 ` Jan Engelhardt
2006-04-19 18:50 ` Valdis.Kletnieks
2006-04-19 23:24 ` Tony Jones
2006-04-18 20:14 ` Stephen Smalley
2006-04-18 20:35 ` Crispin Cowan
2006-04-18 21:07 ` Greg KH
2006-04-19 12:22 ` Stephen Smalley
2006-04-18 20:26 ` Alan Cox
2006-04-18 20:57 ` Crispin Cowan
2006-04-18 21:36 ` James Morris
2006-04-18 23:09 ` Crispin Cowan
2006-04-18 23:27 ` Chris Wright
2006-04-18 23:57 ` James Morris
2006-04-19 1:48 ` Casey Schaufler
2006-04-19 6:40 ` Kyle Moffett
2006-04-19 6:56 ` Valdis.Kletnieks
2006-04-19 11:41 ` Serge E. Hallyn
2006-04-19 15:51 ` Valdis.Kletnieks
2006-04-19 16:00 ` Gene Heskett
2006-04-20 6:51 ` Kyle Moffett
2006-04-20 12:40 ` Stephen Smalley
2006-04-21 1:00 ` Nix
2006-04-21 14:24 ` Stephen Smalley
2006-04-24 8:14 ` Lars Marowsky-Bree
2006-04-25 0:19 ` Valdis.Kletnieks
2006-04-25 7:21 ` Nix
2006-04-19 7:44 ` Arjan van de Ven
2006-04-19 11:53 ` Serge E. Hallyn
2006-04-19 12:56 ` Stephen Smalley
2006-04-19 12:54 ` Stephen Smalley
2006-04-19 16:42 ` Casey Schaufler
2006-04-19 18:01 ` Stephen Smalley
2006-04-20 4:10 ` Casey Schaufler
2006-04-20 4:29 ` James Morris
2006-04-20 4:56 ` Chris Wright
2006-04-18 23:16 ` Casey Schaufler
2006-04-18 23:19 ` Christoph Hellwig
2006-04-19 5:22 ` Arjan van de Ven
2006-04-19 12:40 ` Stephen Smalley
2006-04-18 23:09 ` Casey Schaufler
2006-04-19 5:23 ` Arjan van de Ven
2006-04-18 18:46 ` Alan Cox
2006-04-18 19:59 ` Serge E. Hallyn
2006-04-18 20:20 ` Stephen Smalley
2006-04-18 20:36 ` Serge E. Hallyn
2006-04-18 23:00 ` Casey Schaufler
2006-04-19 9:03 ` Bernhard R. Link
2006-04-18 21:38 ` Kurt Garloff
2006-04-19 7:04 ` Valdis.Kletnieks
2006-04-19 7:36 ` Arjan van de Ven
2006-04-19 12:10 ` Serge E. Hallyn
2006-04-19 12:55 ` Yuichi Nakamura
2006-04-19 15:44 ` Greg KH
2006-04-19 16:02 ` Stephen Smalley
2006-04-19 16:06 ` Greg KH
2006-04-19 21:10 ` Crispin Cowan
2006-04-19 21:48 ` Yuichi Nakamura
2006-04-20 12:44 ` Karl MacMillan
2006-04-19 13:09 ` Stephen Smalley
2006-04-18 11:59 ` Stephen Smalley
2006-04-17 23:09 ` Chris Wright
2006-04-17 19:37 ` Stephen Smalley
2006-04-18 13:05 ` Kazuki Omo(Company)
2006-04-18 13:37 ` James Morris
2006-04-18 14:45 ` Greg KH
2006-04-18 15:51 ` Casey Schaufler
2006-04-18 16:07 ` Greg KH
2006-04-17 19:20 ` Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks) James Morris
2006-04-17 19:51 ` Greg KH
2006-04-17 20:08 ` Arjan van de Ven
2006-04-17 21:26 ` Alan Cox
2006-04-17 23:26 ` Casey Schaufler
2006-04-18 2:29 ` Valdis.Kletnieks
2006-04-18 12:22 ` Serge E. Hallyn
2006-04-18 12:59 ` Stephen Smalley
[not found] ` <20060418132121.GE7562@sergelap.austin.ibm.com>
2006-04-18 13:40 ` Stephen Smalley
2006-04-18 20:13 ` Crispin Cowan
2006-04-18 23:01 ` Valdis.Kletnieks
2006-04-20 0:19 ` Crispin Cowan
2006-04-20 15:27 ` Valdis.Kletnieks
2006-04-21 15:23 ` Ken Brush
2006-04-21 19:51 ` Valdis.Kletnieks
2006-04-22 20:52 ` Ken Brush
2006-04-23 9:45 ` Valdis.Kletnieks
2006-04-24 8:24 ` Lars Marowsky-Bree
2006-04-24 12:42 ` Alan Cox
2006-04-24 12:44 ` Lars Marowsky-Bree
2006-04-24 12:45 ` Olivier Galibert
2006-04-24 12:54 ` Arjan van de Ven
2006-04-24 13:09 ` Serge E. Hallyn
2006-04-24 13:16 ` Arjan van de Ven
2006-04-24 13:29 ` Serge E. Hallyn
2006-04-24 13:40 ` Arjan van de Ven
2006-04-24 13:54 ` Serge E. Hallyn
2006-04-24 14:07 ` Arjan van de Ven
2006-04-25 19:06 ` Serge E. Hallyn
2006-04-25 4:07 ` Casey Schaufler
2006-04-24 14:08 ` Olivier Galibert
2006-04-25 16:29 ` Stephen Smalley
2006-04-25 22:26 ` Olivier Galibert
2006-04-26 12:14 ` Stephen Smalley
2006-04-26 16:03 ` Olivier Galibert
2006-04-27 6:56 ` Thomas Bleher
2006-04-24 12:55 ` Serge E. Hallyn
2006-04-24 12:56 ` Serge E. Hallyn
2006-04-24 14:02 ` Alan Cox
2006-04-24 14:04 ` Serge E. Hallyn
2006-04-24 14:31 ` Alan Cox
2006-04-24 14:28 ` Serge E. Hallyn
2006-04-24 14:45 ` David Lang
2006-04-24 16:50 ` Arjan van de Ven
2006-04-25 16:31 ` Stephen Smalley
2006-04-25 16:23 ` Stephen Smalley
2006-04-25 2:06 ` Valdis.Kletnieks
2006-04-25 7:36 ` Lars Marowsky-Bree
2006-04-20 21:13 ` Pavel Machek
2006-04-23 3:50 ` Crispin Cowan
2006-04-23 9:33 ` Valdis.Kletnieks
2006-04-23 14:58 ` Thomas Bleher
2006-04-24 8:28 ` Lars Marowsky-Bree
2006-04-24 8:37 ` Arjan van de Ven
2006-04-24 8:54 ` Lars Marowsky-Bree
2006-04-24 9:12 ` Arjan van de Ven
2006-04-25 0:31 ` Valdis.Kletnieks
2006-04-20 17:46 ` Pavel Machek
2006-04-18 2:38 ` Valdis.Kletnieks
2006-04-19 8:16 ` Jan Engelhardt
2006-04-19 15:40 ` Greg KH
2006-04-19 16:33 ` James Morris
2006-04-19 18:10 ` Greg KH
2006-04-19 19:33 ` Chris Wright
2006-04-20 12:39 ` Stephen Smalley
2006-04-20 12:51 ` Serge E. Hallyn
2006-04-20 15:00 ` Removing EXPORT_SYMBOL(security_ops) (was Re: Time to remove LSM) Greg KH
2006-04-20 14:20 ` Stephen Smalley
2006-04-20 16:15 ` Greg KH
2006-04-20 16:23 ` Christoph Hellwig
2006-04-20 16:34 ` Stephen Smalley
2006-04-20 16:46 ` Greg KH
2006-04-20 17:00 ` Stephen Smalley
2006-04-20 17:01 ` [PATCH] make security_ops EXPORT_SYMBOL_GPL() Greg KH
2006-04-20 18:08 ` Linus Torvalds
2006-04-20 19:34 ` Greg KH
2006-04-21 16:50 ` Greg KH
2006-04-21 17:34 ` Chris Wright
2006-04-20 17:02 ` Removing EXPORT_SYMBOL(security_ops) (was Re: Time to remove LSM) Tony Jones
2006-04-20 20:14 ` Chris Wright
2006-04-19 19:22 ` Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks) Jan Engelhardt
2006-04-19 20:48 ` Greg KH
2006-04-19 20:59 ` Serge E. Hallyn
2006-04-19 21:08 ` Randy.Dunlap
2006-04-19 16:00 ` Arjan van de Ven
2006-04-19 19:06 ` Jan Engelhardt
2006-04-19 20:11 ` Greg KH
2006-04-19 20:52 ` Randy.Dunlap
2006-04-19 20:54 ` Arjan van de Ven
2006-04-19 21:05 ` Jan Engelhardt
2006-04-20 12:20 ` Stephen Smalley
2006-04-21 13:30 ` Jan Engelhardt
2006-04-21 15:05 ` Greg KH
2006-05-01 13:45 ` [PATCH 0/4] MultiAdmin LSM Jan Engelhardt
2006-05-01 13:48 ` [PATCH 1/4] security_cap_extra() and more Jan Engelhardt
2006-05-01 13:49 ` [PATCH 2/4] Use of capable_light() Jan Engelhardt
2006-05-01 13:49 ` [PATCH 3/4] task_post_setgid() Jan Engelhardt
2006-05-01 13:50 ` [PATCH 4/4] MultiAdmin module Jan Engelhardt
2006-05-01 14:56 ` James Morris
2006-05-01 15:05 ` Greg KH
2006-05-01 13:50 ` [PATCH 0/4] MultiAdmin LSM Arjan van de Ven
2006-05-01 16:03 ` [PATCH 4a/4] MultiAdmin LSM (LKCS'ed) Jan Engelhardt
2006-05-01 16:47 ` Greg KH
2006-05-01 17:42 ` Jan Engelhardt
2006-05-01 18:07 ` Greg KH
2006-05-01 20:19 ` Jan Engelhardt
2006-05-01 21:47 ` Adrian Bunk
2006-05-01 20:56 ` [PATCH 0/4] MultiAdmin LSM Pavel Machek
2006-05-02 4:22 ` James Morris
2006-04-21 16:25 ` Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks) Stephen Smalley
2006-04-21 18:57 ` Jan Engelhardt
2006-04-21 19:56 ` Stephen Smalley
2006-04-22 11:13 ` Jan Engelhardt
2006-04-20 23:41 ` Pavel Machek
2006-04-19 17:00 ` Valdis.Kletnieks
2006-04-17 20:20 ` Chris Wright
2006-04-17 20:24 ` Arjan van de Ven
2006-04-17 20:27 ` Time to remove LSM David S. Miller
2006-04-17 20:27 ` Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks) Chris Wright
2006-04-17 20:34 ` Greg KH
2006-04-17 20:38 ` Chris Wright
2006-04-17 20:43 ` Arjan van de Ven
2006-04-17 20:53 ` Chris Wright
2006-04-17 20:45 ` alan
[not found] ` <2e00cdfd0604171437g1d6c6923w5db82f317ed0f56@mail.gmail.com>
2006-04-17 22:07 ` Chris Wright
2006-04-17 22:10 ` Arjan van de Ven
2006-04-17 20:51 ` Adrian Bunk
2006-04-17 20:08 ` [RESEND][RFC][PATCH 2/7] implementation of LSM hooks David S. Miller
2006-04-17 18:20 ` Török Edwin
2006-04-23 19:58 ` Labeling only policy and problems with booleans Török Edwin
2006-04-26 13:37 ` Stephen Smalley
2006-04-26 14:13 ` Christopher J. PeBenito
2006-04-26 18:18 ` Török Edwin
2006-04-26 19:23 ` Christopher J. PeBenito
2006-04-26 18:13 ` Török Edwin
2006-04-26 19:26 ` Stephen Smalley
2006-04-26 20:08 ` Török Edwin [this message]
2006-04-27 19:17 ` Török Edwin
2006-04-27 19:53 ` Karl MacMillan
2006-05-01 16:06 ` [PATCH ] consistent labeling of block|character devices Török Edwin
2006-05-01 19:51 ` Stephen Smalley
2006-05-01 16:17 ` [1/4] Labeling only policy for fireflier Török Edwin
2006-05-01 16:34 ` [2/4] Labeling only policy for fireflier (fireflier.pp) Török Edwin
2006-05-01 16:38 ` [3/4] Labeling only policy for fireflier (example module) Török Edwin
2006-05-03 14:35 ` [2/4] Labeling only policy for fireflier (fireflier.pp) Christopher J. PeBenito
2006-05-01 16:43 ` [4/4] Labeling only policy for fireflier (install) Török Edwin
2006-05-01 18:55 ` [1/4] Labeling only policy for fireflier Christopher J. PeBenito
2006-05-02 15:36 ` Török Edwin
2006-04-07 18:39 ` [RFC][PATCH 3/7] sidtab - hashtable to store SIDs Török Edwin
2006-04-07 18:41 ` [RFC][PATCH 4/7] exports Török Edwin
2006-04-07 18:43 ` [RFC][PATCH 5/7] debugging/testing support Török Edwin
2006-04-07 18:44 ` [RFC][PATCH 6/7] userspace Török Edwin
2006-04-07 18:46 ` [RFC][PATCH 7/7] stacking support for capability module Török Edwin
2006-04-07 19:18 ` Serge E. Hallyn
2006-04-07 19:45 ` [RFC][PATCH 0/7] fireflier LSM for labeling sockets based on its creator (owner) Chris Wright
2006-04-08 7:41 ` edwin
2006-04-21 15:26 ` [RFC] packet/socket owner match (fireflier) using skfilter Mikado
2006-04-21 16:18 ` Török Edwin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200604262308.16575.edwin@gurde.com \
--to=edwin@gurde.com \
--cc=cpebenito@tresys.com \
--cc=fireflier-devel@lists.sourceforge.net \
--cc=jbrindle@tresys.com \
--cc=marius@cs.utt.ro \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.