> > This is indeed the "designed" and expected (for me) behavior. > > This is a security hole. SELinux denies all access by > default, so the > default behavior of this code is to allow all traffic to bypass IPsec. > > You should not need to add a rule to 'allow' increased security.
You are right. Currently working on a patch (should be out tonight/tomorrow). <snip> > This needs to be handled within SELinux as far as possible, > and errors > will generally need to be propagated back to the callers, as Agreed here as well. I have yet to review your patch in depth, but it definitely makes sense to do what you say here. Thanks. > we don't know > what other LSMs might do, and errors unrelated to access > control can be > returned. > > > - James > -- > James Morris > <[EMAIL PROTECTED]> > - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
