On Wed, Jun 4, 2008 at 7:14 PM, Paul Moore <paul.moore@xxxxxx> wrote: > On Wednesday 04 June 2008 3:05:08 pm Justin Mattock wrote: >> On Wed, Jun 4, 2008 at 2:31 PM, Paul Moore <paul.moore@xxxxxx> wrote: >> > On Wednesday 04 June 2008 2:55:15 am Justin Mattock wrote: >> >> Hello; Hopefully this is the right list to post this question, >> >> after looking at NetLabel, in dmesg I couldn't help but see: >> >> [ 0.570655] NetLabel: Initializing >> >> [ 0.570660] NetLabel: domain hash size = 128 >> >> [ 0.570663] NetLabel: protocols = UNLABELED CIPSOv4 >> >> [ 0.570730] NetLabel: unlabeled traffic allowed by default >> >> >> >> "unlabeled traffic allowed by default." >> >> is this similar to selinux (handle_unkown=deny, if so is there an >> >> option to change this to "unlabeled traffic deny." >> > >> > Nope, the two are completely unrelated. By default, NetLabel >> > allows unlabeled traffic to pass (meaning the >> > netlbl_skbuff_getattr() function returns an empty secattr and no >> > error, the LSM does the actual packet pass/drop) so as to keep >> > networking working for the majority of users who do not configure >> > NetLabel. If you were to disable unlabeled traffic using NetLabel >> > only CIPSO and static/fallback (using 2.6.25 or greater) labeled >> > traffic would be allowed into the system. >> > >> > Unless you really know what you are doing I wouldn't mess with this >> > setting. >> > >> >> Also is there a location for this in the kernel i.g. >> >> /proc/sys/net/* regards; >> > >> > There are some sysctl variables which offer control of the >> > NetLabel/CIPSO functionality they do no toggle the unlabeled >> > allow/deny behavior, for that you need the netlabel_tools package, >> > specifically netlabelctl. >> > >> > * http://netlabel.sf.net >> >> I'm going to answer honestly I don't know what I'm doing, so with >> that in mind maybe I should just leave this for now, >> I did have a look at the netlabel_tools package, but like what I said >> in the first sentence, I need to really study this >> before venturing into this, (that way I'm not stuck with no >> internet.) regards; > > Sound like a good plan. I wish I had some decent documentation to pass > along but I haven't had a chance to write anything up so far ... > regardless, if you have any questions don't hesitate to ask. > > Good luck. > > -- > paul moore > linux @ hp > Cool thanks for the response and help. I think overall, I'm just trying to make sure /etc/sysctl.conf is in good condition so my tcp is not vulnerable to any kind of spoofing action. regards; -- Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
