On Fri, 29 Sep 2006, Paul Moore wrote: > James Morris wrote: > > Ok, can you please explain it further? > > > > i.e. show me what the policy looks like, exactly what the user is trying > > to achieve, and explain what happens to each packet exactly in terms of > > labeling on the input and output paths. > > All right, here is my take on it, perhaps Venkat can chime in too.
Thanks, that cleared up many things, but how does this interact with CONNSECMARK? Please provide some example iptables rules, SELinux policy statements, racoon config and netlabel config. I need to understand exactly what happens to each packet in, say, an FTP session and how you envisage the configuration. Here's a sample scenario for the above (let me know if this is not how you expect this to be used): Say that the SA is labeled "secret" and you have two FTP clients connecting to a server via xinetd on this SA. Each client additionally labels their packets via CIPSO as secret:c1 and secret:c2 respectively. xinetd launches an FTP server for each at the correct level. - James -- James Morris <[EMAIL PROTECTED]> - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
