On Tue, 9 May 2006, Karl MacMillan wrote:
> Ok - I obviously don't have the expertise to judge how ugly the code to
> do this is. It becomes a question of whether the feature is compelling
> enough.
Atcually, I think there may be a good way to do this, will investigate.
- James
--
James Morris
On Tue, 2006-05-09 at 12:40 -0400, James Morris wrote:
> On Tue, 9 May 2006, Karl MacMillan wrote:
>
> > those connection, but my concern is that connection could, through error
> > or exploit, be passed to another domain that should not receive packets
> > from that type of connection (see below)
On Tue, 2006-05-09 at 12:40 -0400, James Morris wrote:
> On Tue, 9 May 2006, Karl MacMillan wrote:
>
> > those connection, but my concern is that connection could, through error
> > or exploit, be passed to another domain that should not receive packets
> > from that type of connection (see below)
On Tue, 9 May 2006, Karl MacMillan wrote:
> those connection, but my concern is that connection could, through error
> or exploit, be passed to another domain that should not receive packets
> from that type of connection (see below).
Connection passing or inheritence should be subject to kernel
On Mon, 2006-05-08 at 17:29 -0400, James Morris wrote:
> On Mon, 8 May 2006, Karl MacMillan wrote:
>
> > Something like CONNMARK seems preferable to me (perhaps even allowing
> > type_transition rules to give the related packets a unique type). This
> > makes the labeling reflect the real security
On Mon, 8 May 2006, Karl MacMillan wrote:
> Something like CONNMARK seems preferable to me (perhaps even allowing
> type_transition rules to give the related packets a unique type). This
> makes the labeling reflect the real security property of the packets.
That's arguable. The real security pr
On Sun, 2006-05-07 at 13:43 -0400, James Morris wrote:
> On Sun, 7 May 2006, Joshua Brindle wrote:
>
> > It looks like you are labeling all packets on an established connection as
> > tracked_packet_t. What is the rationale for not labeling all ftp traffic as
> > ftpd_packet_t? Granted that its ve
(note: an old, incorrect address for netfilter-devel was used in the
initial mail, please update to the correct one as above if replying to
this thread).
--
James Morris
<[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL P
On Sun, 7 May 2006, Joshua Brindle wrote:
> It looks like you are labeling all packets on an established connection as
> tracked_packet_t. What is the rationale for not labeling all ftp traffic as
> ftpd_packet_t? Granted that its very unlikely for established connections to
> go to the wrong proc
James Morris wrote:
For example, SELinux will now be able to utilize connection tracking, so
that only packets which are known to be valid for a specific connection
will be allowed to reach the subject.
Sample iptables rules for labeling packets are at:
http://people.redhat.com/jmorris/selinux
The following patchsets implement a new scheme for adding security
markings to packets via iptables, as well as changes to SELinux to use
these markings for security policy enforcement.
Along with these patches, assorted files including policy examples and
patches for SELinux userland may be fo
11 matches
Mail list logo
