Limiting IPC with SELinux?

Stephen Smalley sds at tycho.nsa.gov
Mon Apr 25 13:00:43 UTC 2005


On Mon, 2005-04-25 at 08:38 -0400, Stephen Smalley wrote:
> On Fri, 2005-04-22 at 14:58 -0400, James Morris wrote:
> > On Fri, 22 Apr 2005, Steve Brueckner wrote:
> > 
> > > return ephemeral ports.  Or is there a chance of re-visiting the idea of
> > > getting labeled networking into the kernel?
> > 
> > Work is being done on labeled networking via IPsec, see Trent Jaeger's 
> > paper at http://www.selinux-symposium.org/2005/agenda.php
> 
> True, but I don't think this will help much in this particular case, as
> the original poster wants to control information flow via loopback and
> you aren't likely to be using IPSEC on such traffic.  In the absence of
> a sk_buff security field and associated hooks for lifecycle management,
> I think that we'd have to go with something like the iptables MARK
> module, ala LIDS.

Actually, Thomas Bleher's suggestion of extending the ipt owner module
might be better.

-- 
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency




More information about the selinux mailing list