From: edwin@gurde.com
To: jmorris@namei.org
Cc: netdev@vger.kernel.org, fireflier-devel@lists.sourceforge.net
Subject: Re: [PATCH][RFC] Security marking
Date: Mon, 17 Apr 2006 21:40:53 +0300 (EEST) [thread overview]
Message-ID: <20060417184053.6D618378FD@localhost.localdomain> (raw)
In-Reply-To: Pine.LNX.4.64.0604160012500.16600@d.namei
Secmark, or skfilter is exactly what fireflier needs to solve the shared socket issue. Thanks for working on this.
If this gets integrated in mainline, fireflier LSM will be dropped.
Is it possible to have an SELinux policy that reinjects the packets if didn't match any rules?
I.e. if a program that listens on port 80 doesn't have access to the packet, (because it doesn't have the proper domain,)
and the SELinux won't allow the program to read the packet: is it possible to reinject this packet in the netfilter chain,
instead of dropping it?
This would allow creating rules interactively (fireflier).
But it could also be used for other purposes.
For example: if the program that listens on that port crashes, that means no program would match the required domain+port.
if in that case the packet would be reinjected, then the packet could be rerouted (by adding proper rules to mangle the packet)
to a different program/computer. AFAIK this isn't currently possible with netfilter (please correct me if I'm wrong).
What does the secmark currently do with packets that aren't allowed by policy to be received?
P.S.: Where can I get the full secmark patches, so I can test them to see if they really fit my needs?
Do you have an estimate timeline for mainline integration? (in terms of n weeks, m months)
Cheers,
Edwin
next reply other threads:[~2006-04-17 18:41 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-04-17 18:40 edwin [this message]
2006-04-18 1:01 ` [PATCH][RFC] Security marking James Morris
2006-04-23 18:57 ` [Fireflier-devel] " Török Edwin
2006-04-24 12:56 ` James Morris
2006-04-28 7:19 ` Patrick McHardy
-- strict thread matches above, loose matches on Subject: below --
2006-04-16 5:10 James Morris
2006-04-16 5:28 ` James Morris
2006-04-17 17:51 ` Patrick McHardy
2006-04-17 18:43 ` James Morris
2006-04-17 18:55 ` Patrick McHardy
2006-04-19 22:49 ` David S. Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060417184053.6D618378FD@localhost.localdomain \
--to=edwin@gurde.com \
--cc=fireflier-devel@lists.sourceforge.net \
--cc=jmorris@namei.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).