On Wed, 8 Nov 2006, Paul Moore wrote: > James Morris wrote: > > On Wed, 8 Nov 2006, Paul Moore wrote: > > > >>1. Functionality is available right now, no additional kernel changes needed > >>2. No special handling for localhost, I tend to like the idea of having > >>consistent behavior for all addresses/interfaces > > > > I don't agree. SO_PEERSEC should always just work for loopback, just like > > with Unix sockets. > > My main concern is that we would have "special" behavior for a single IP > address > and that this behavior wouldn't be subject to the same labeled networking > configuration/management methods as the rest of the address space.
It's a very special case, and loopack networking has lots of special case handling because of this. It's nearly zero cost to have this work, and then you get full SELinux control over local IP communications. It doesn't prevent the IPsec stuff from working, if you want it to override the default. But would people really run IPsec for localhost communications? Let's keep the simple case simple. > Treating localhost like any other IP address seems consistent with the > way we handle Unix sockets - we don't have any special handling > depending on the path of the socket. Unix sockets can't do both local and remote communication. - James -- James Morris <[EMAIL PROTECTED]> - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
