o
> address concerns raised by Karl MacMillan on providing fine-grained
> assurances for network applications which pass connections (e.g. xinetd).
>
> If all looks ok, I'll rebase the entire patchset (also merging elements
> from the patch below back into other patches), a
On Tue, 2006-05-09 at 12:40 -0400, James Morris wrote:
> On Tue, 9 May 2006, Karl MacMillan wrote:
>
> > those connection, but my concern is that connection could, through error
> > or exploit, be passed to another domain that should not receive packets
> > from that type
On Mon, 2006-05-08 at 17:29 -0400, James Morris wrote:
> On Mon, 8 May 2006, Karl MacMillan wrote:
>
> > Something like CONNMARK seems preferable to me (perhaps even allowing
> > type_transition rules to give the related packets a unique type). This
> > makes the l
Glad that you added this. This only checks on the addition of rules,
correct? Obviously changes that don't include an addition (e.g.,
removal) could change the labeling behavior. Is it possible / needed to
try to provide anything like the relabelto/relabelfrom pairing that is
present for f
erious downsides to this approach?
> You can always not use conntrack and emulate the existing controls, as
> well.
>
Yes, but gaining connection tracking is a major advantage of this
approach over the existing controls.
Karl
--
Karl MacMillan
Tresys Technology
www.tresys.com
> &
