Limiting IPC with SELinux?
Stephen Smalley
sds at tycho.nsa.gov
Mon Apr 25 13:00:43 UTC 2005
On Mon, 2005-04-25 at 08:38 -0400, Stephen Smalley wrote:
> On Fri, 2005-04-22 at 14:58 -0400, James Morris wrote:
> > On Fri, 22 Apr 2005, Steve Brueckner wrote:
> >
> > > return ephemeral ports. Or is there a chance of re-visiting the idea of
> > > getting labeled networking into the kernel?
> >
> > Work is being done on labeled networking via IPsec, see Trent Jaeger's
> > paper at http://www.selinux-symposium.org/2005/agenda.php
>
> True, but I don't think this will help much in this particular case, as
> the original poster wants to control information flow via loopback and
> you aren't likely to be using IPSEC on such traffic. In the absence of
> a sk_buff security field and associated hooks for lifecycle management,
> I think that we'd have to go with something like the iptables MARK
> module, ala LIDS.
Actually, Thomas Bleher's suggestion of extending the ipt owner module
might be better.
--
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency
More information about the selinux
mailing list