On Wed, Jun 4, 2008 at 2:31 PM, Paul Moore <paul.moore@xxxxxx> wrote: > On Wednesday 04 June 2008 2:55:15 am Justin Mattock wrote: >> Hello; Hopefully this is the right list to post this question, >> after looking at NetLabel, in dmesg I couldn't help but see: >> [ 0.570655] NetLabel: Initializing >> [ 0.570660] NetLabel: domain hash size = 128 >> [ 0.570663] NetLabel: protocols = UNLABELED CIPSOv4 >> [ 0.570730] NetLabel: unlabeled traffic allowed by default >> >> "unlabeled traffic allowed by default." >> is this similar to selinux (handle_unkown=deny, if so is there an >> option to change this to "unlabeled traffic deny." > > Nope, the two are completely unrelated. By default, NetLabel allows > unlabeled traffic to pass (meaning the netlbl_skbuff_getattr() function > returns an empty secattr and no error, the LSM does the actual packet > pass/drop) so as to keep networking working for the majority of users > who do not configure NetLabel. If you were to disable unlabeled > traffic using NetLabel only CIPSO and static/fallback (using 2.6.25 or > greater) labeled traffic would be allowed into the system. > > Unless you really know what you are doing I wouldn't mess with this > setting. > >> Also is there a location for this in the kernel i.g. /proc/sys/net/* >> regards; > > There are some sysctl variables which offer control of the > NetLabel/CIPSO functionality they do no toggle the unlabeled allow/deny > behavior, for that you need the netlabel_tools package, specifically > netlabelctl. > > * http://netlabel.sf.net > > -- > paul moore > linux @ hp > I'm going to answer honestly I don't know what I'm doing, so with that in mind maybe I should just leave this for now, I did have a look at the netlabel_tools package, but like what I said in the first sentence, I need to really study this before venturing into this, (that way I'm not stuck with no internet.) regards; -- Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
