On Wednesday 14 January 2009 8:54:22 pm Justin P. Mattock wrote: > Paul Moore wrote: > apologize for the slow response > (had to do some external activities); No problem, I've got a day job too :) > > NOTE: the domain mapping configuration only controls how outbound > > network traffic is labeled on-the-wire; it "maps" the > > LSM/SELinux "domains" to a specific labeling protocol > > configuration, e.g. all apache_t traffic should be labeled with > > CIPSO DOI 3 while all firefox_t traffic should not be labeled at > > all. ... > > I think what you mean to type is the following: > > > > # netlabelctl unlbl add interface:wlan0 address:<radioadd> \ > > label:system_u:object_r:netlabel_peer_t:s0 > > > > ... note there is no "domain" argument, that only exists > > for "netlabelctl map ..." commands. > > > > NOTE: if you really want to get fancy you can create new SELinux > > domains for each type of media and add NetLabel configurations for > > those new domains. Imagine you create a new "internet_radio_t" > > domain/type and only allow the "netplayer_t" domain (yeah, I made > > that up but you get the point) access to network traffic labeled > > with internet_radio_t. You would then use the following command to > > label your incoming traffic with NetLabel: > > > > # netlabelctl unlbl add interface:wlan0 address:<radioadd> \ > > label:system_u:object_r:internet_radio_t:s0 > > > > NOTE: you can also skip the "interface:wlan0" argument and just > > use "default" instead if you want the configuration to apply to all > > your network interfaces; although bear in mind that the "default" > > configuration can be overridden by the interface specific > > configurations. > > Alright, I thought you could use the map option for unlbl. Yes, you can use configure the LSM/SELinux domain mapping to send unlabeled/"unlbl" packets (the default configuration maps all outbound traffic to "unlbl") but since you only really care about inbound traffic you can ignore the "map" option. -- paul moore linux @ hp -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
