On Thursday 13 December 2007 9:12:08 am Christopher J. PeBenito wrote: > On Wed, 2007-12-12 at 15:18 -0500, Paul Moore wrote: > > Assuming labeled networking is enabled, a forwarded packet would > > hit four checks: > > > > # inbound checks > > allow netif_t peer_t:peer ingress; > > allow netnode_t peer_t:peer ingress; > > # outbound checks > > allow netif_t peer_t:peer egress; > > allow netnode_t peer_t:peer egress; > > This helps. But this seems to be for the old networking, how does it > work with the secmark stuff? It doesn't work with the SECMARK stuff, or rather it works in parallel with the SECMARK stuff. We've debated integrating the peer labeling protocols (labeled IPsec, NetLabel) with the SECMARK mechanism many times but in the end we always end up deciding it doesn't make sense. The reason for the network interface, "netif_t", and node, "netnode_t", labels is that we want to be able to apply access controls to peer labeled network traffic based on the remote host and/or interface. Currently we have no way of doing this. Hopefully this is starting to get a bit more clear now ... -- paul moore linux security @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
