On Wednesday 04 June 2008 2:55:15 am Justin Mattock wrote: > Hello; Hopefully this is the right list to post this question, > after looking at NetLabel, in dmesg I couldn't help but see: > [ 0.570655] NetLabel: Initializing > [ 0.570660] NetLabel: domain hash size = 128 > [ 0.570663] NetLabel: protocols = UNLABELED CIPSOv4 > [ 0.570730] NetLabel: unlabeled traffic allowed by default > > "unlabeled traffic allowed by default." > is this similar to selinux (handle_unkown=deny, if so is there an > option to change this to "unlabeled traffic deny." Nope, the two are completely unrelated. By default, NetLabel allows unlabeled traffic to pass (meaning the netlbl_skbuff_getattr() function returns an empty secattr and no error, the LSM does the actual packet pass/drop) so as to keep networking working for the majority of users who do not configure NetLabel. If you were to disable unlabeled traffic using NetLabel only CIPSO and static/fallback (using 2.6.25 or greater) labeled traffic would be allowed into the system. Unless you really know what you are doing I wouldn't mess with this setting. > Also is there a location for this in the kernel i.g. /proc/sys/net/* > regards; There are some sysctl variables which offer control of the NetLabel/CIPSO functionality they do no toggle the unlabeled allow/deny behavior, for that you need the netlabel_tools package, specifically netlabelctl. * http://netlabel.sf.net -- paul moore linux @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
