From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Fri, 3 May 2013 19:21:50 +0200
Subject: [refpolicy] [PATCH/RFC 2/2] Add minidlna policy
In-Reply-To: <5183BFEE.1030309@tresys.com>
References: <20130501183657.GA25116@siphos.be>
	<20130501183845.GC25116@siphos.be> <1367509285.27309.34.camel@d30>
	<20130502192347.GA25444@siphos.be> <1367524372.27309.45.camel@d30>
	<5183BFEE.1030309@tresys.com>
Message-ID: <20130503172150.GA15138@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Fri, May 03, 2013 at 09:47:26AM -0400, Christopher J. PeBenito wrote:
> As you mentioned in a latter email, compat_net has been removed.  The SELinux network access controls are only SECMARK now.
> 
[...]
> Yes.  I think what you're confused on is that SECMARK labels are local only.  They are not transferred over the network like labeled IPSEC or NetLabel/CIPSO.  The object class for those labels is peer.  The only remaining permissions on port types is name_bind and name_connect.

So for each port type that we declare, the corenet_{tcp,udp}_sendrecv_*_port
is actually void now? Only corenet_{tcp,udp}_{bind,connect}_*_port is then
used?

It starts making sense.

Even if SECMARK is used, the bind/connect is still needed, right?

Wkr,
	Sven Vermeulen