Stephen Smalley wrote: > If you want network enforcement, you need to configure labeled > networking - that isn't enabled by default. Thanks. I have two more questions. First, why does MLS require this, but for TE it is sufficient to have labeled ports? And second, I have managed to label my network to s0, but still, if I try to connect as s1 user, the outbound connection gets through, only the response (ie. syn/ack) is denied. This still violates BLP; is this a matter of how the refpolicy is set up? Michal Svoboda
Attachment:
pgpIfKYofPD3Z.pgp
Description: PGP signature
