> >> > >> As for the recvfrom part, in your policy you have: > >> > >> corenet_non_ipsec_sendrecv(brindle_client_t) > >> > >> > >> this interface allows a domain to receive from unlabeled ipsec > >> connections, which means it will work regardless of associations being > >> present, be sure to remove interfaces like this before testing in > >> enforcing. > >> > >> > >> > >> > > > > True that the non_ipsec interface will allow the client and server to > > communicate, but it wouldn't be a labeled communication, which means the > > output of the client and server should look like this: > > > > [mr_clarkson@blade5 test]$ ./brindle_server > > getsockopt: Protocol not available > > server: got connection from 127.0.0.1, (null) > > > > [mr_clarkson@blade5 test]$ ./brindle_client 127.0.0.1 > > getpeercon: Protocol not available > > Received: Hello, (null) from (null) > > > > I know that it is sending the packets over the labeled IPSec loopback, > > because it stops working when I remove the SPDs using "setkey -FP" > > > > In any case, it quits working when I replace > > corenet_non_ipsec_sendrecv(brindle_client_t) with > > ipsec_labeled(brindle_client_t) and do likewise for the server. And I > > get the following from audit2allow: > > > > #============= brindle_client_t ============== > > # src="brindle_client_t" tgt="unlabeled_t" class="packet", perms="send" > > # comm="brindle_client" exe="" path="" > > allow brindle_client_t unlabeled_t:packet send; > > > > Is there something else that I need to provide? > > > > > > I think corenet_sendrecv_unlabeled_packets() > That's the same as corenet_non_ipsec_sendrecv(). They both just call kernel_sendrecv_unlabeled_packets(). -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
