On Thu, Sep 27, 2007 at 00:12:12 -0400, Ric Moore <wayward4now@xxxxxxxxx> wrote: > > NOW you've got my attention. I actually need something just like that. > As a matter of fact, if you could REALLY lock down the front porch, > restricting service to just your subnets, and a local DNS server, you > wouldn't need the guards inside to be set strict? As much? Tell me about > this... inquiring minds want to know. What's the real deal? Ric I have just seen discussions for patches dealing with this on the selinux list. I don't know what exactly the final plan is supposed to be. I believe you are supposed to be able to attach context to packets based on host and port information. This allows you to at least label packets based on address and port information reliably (as much as you can trust the ipsec signatures). I don't know if the sender of a packet will be able to attach context to packets that the recipient can use.
