> -----Original Message----- > From: Paul Moore [mailto:paul.moore@xxxxxx] > Sent: Friday, February 15, 2008 3:43 PM > To: Clarkson, Mike R (US SSA) > Cc: selinux@xxxxxxxxxxxxx > Subject: Re: Brindle example of labeled IPSec > > On Friday 15 February 2008 6:25:45 pm Clarkson, Mike R (US SSA) wrote: > > I understand why there is no labeling after doing "setkey -FP". That > > was expected. > > I'm sorry, I mis-read your original question. > > > My question is why does the labeling work in enforcing mode, even > > though my policy does not provide the following rules: > > allow brindle_client_t ipsec_spd_t:association polmatch; > > allow brindle_client_t brindle_server_t:association recvfrom; > > > > With labeled IPSec over the loopback, I did not have to provide any > > rules in my brindle_client module or my brindle_server module with > > respect to the association object class. Without the association > > rules, the policy doesn't have any way of enforcing MLS constraints, > > or TE on the client server connections, which is the reason that I > > set up labeled IPSec over loopback in the first place. > > That is interesting isn't it? I don't have an answer off the top of my > head which means I need to go and dig through the kernel and policy to > try and piece together what is going on. What kernel version and > policy version are you running? Kernel: 2.6.18-53.el5 (x86_64) Policy: RHEL5.1 Thanks > > -- > paul moore > linux security @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
