From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paul Moore To: Joe Nall Subject: Re: [RFC 0/5] Static/fallback external labels for NetLabel Date: Tue, 28 Aug 2007 14:51:53 -0400 Cc: Darrel Goeddel , Venkat Yekkirala , selinux@tycho.nsa.gov, James Morris , Darrel Goeddel , Stephen Smalley , kaigai@ak.jp.nec.com, Eric Paris References: <200708281151.07120.paul.moore@hp.com> <4C3962FB-2689-420B-B3E8-F07AF2A48255@nall.com> In-Reply-To: <4C3962FB-2689-420B-B3E8-F07AF2A48255@nall.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Message-Id: <200708281451.53650.paul.moore@hp.com> Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov On Tuesday, August 28 2007 12:18:05 pm Joe Nall wrote: > On Aug 28, 2007, at 10:51 AM, Paul Moore wrote: > > Hmm, so in summary, you (TCS) don't see a need for flow control of > > fallback > > labels with granularity greater then a single host and if really > > pushed > > interface level granularity would most likely suffice. I'll > > venture that > > host/network level granularity might be nice for normal users who > > only have > > one interface which connects to multiple networks, e.g. the person > > sitting at > > home on a private home network which also connects to the big-bad- > > internet > > via a nat box provided by their ISP. > > This matches my CMW experience. Interface labeling is a must. Per > host/net > default labeling is very useful, but isn't a show-stopper. Per host/net > default labeling is particularly useful when testing since most of us > don't > have a a dozen physical interfaces and associated infrastructure for > test. That's good to know others have the same needs/requirements. We've been going around in circles for a while now but I think we are finally starting to settle on what we need. > Will interface aliases (eth0:1) be able to take on different labels from > their base interface? Not sure, it all depends on if an interface alias ends up creating a separate net_device struct in the kernel, I don't have the answer to this off the top of my head. What is your preference? -- paul moore linux security @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.