On Thu, 2007-12-13 at 10:45 -0500, Paul Moore wrote: > On Thursday 13 December 2007 9:12:08 am Christopher J. PeBenito wrote: > > On Wed, 2007-12-12 at 15:18 -0500, Paul Moore wrote: > > > Assuming labeled networking is enabled, a forwarded packet would > > > hit four checks: > > > > > > # inbound checks > > > allow netif_t peer_t:peer ingress; > > > allow netnode_t peer_t:peer ingress; > > > # outbound checks > > > allow netif_t peer_t:peer egress; > > > allow netnode_t peer_t:peer egress; > > > > This helps. But this seems to be for the old networking, how does it > > work with the secmark stuff? > > It doesn't work with the SECMARK stuff, or rather it works in parallel > with the SECMARK stuff. We've debated integrating the peer labeling > protocols (labeled IPsec, NetLabel) with the SECMARK mechanism many > times but in the end we always end up deciding it doesn't make sense. So, with compat_net off, you'd still need the above policy, not the packet type against the peer type?, e.g., not this: allow ssh_client_packet_t peer_t:peer egress; -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
