On Wednesday 04 June 2008 3:05:08 pm Justin Mattock wrote: > On Wed, Jun 4, 2008 at 2:31 PM, Paul Moore <paul.moore@xxxxxx> wrote: > > On Wednesday 04 June 2008 2:55:15 am Justin Mattock wrote: > >> Hello; Hopefully this is the right list to post this question, > >> after looking at NetLabel, in dmesg I couldn't help but see: > >> [ 0.570655] NetLabel: Initializing > >> [ 0.570660] NetLabel: domain hash size = 128 > >> [ 0.570663] NetLabel: protocols = UNLABELED CIPSOv4 > >> [ 0.570730] NetLabel: unlabeled traffic allowed by default > >> > >> "unlabeled traffic allowed by default." > >> is this similar to selinux (handle_unkown=deny, if so is there an > >> option to change this to "unlabeled traffic deny." > > > > Nope, the two are completely unrelated. By default, NetLabel > > allows unlabeled traffic to pass (meaning the > > netlbl_skbuff_getattr() function returns an empty secattr and no > > error, the LSM does the actual packet pass/drop) so as to keep > > networking working for the majority of users who do not configure > > NetLabel. If you were to disable unlabeled traffic using NetLabel > > only CIPSO and static/fallback (using 2.6.25 or greater) labeled > > traffic would be allowed into the system. > > > > Unless you really know what you are doing I wouldn't mess with this > > setting. > > > >> Also is there a location for this in the kernel i.g. > >> /proc/sys/net/* regards; > > > > There are some sysctl variables which offer control of the > > NetLabel/CIPSO functionality they do no toggle the unlabeled > > allow/deny behavior, for that you need the netlabel_tools package, > > specifically netlabelctl. > > > > * http://netlabel.sf.net > > I'm going to answer honestly I don't know what I'm doing, so with > that in mind maybe I should just leave this for now, > I did have a look at the netlabel_tools package, but like what I said > in the first sentence, I need to really study this > before venturing into this, (that way I'm not stuck with no > internet.) regards; Sound like a good plan. I wish I had some decent documentation to pass along but I haven't had a chance to write anything up so far ... regardless, if you have any questions don't hesitate to ask. Good luck. -- paul moore linux @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
