Stephen Smalley wrote: > The port-based checks (e.g. name_bind, name_connect) are not relevant > to MLS and there are no MLS constraints written on them. I see. In the refpolicy they say that name_bind/name_connect have no MLS restrictions. But they place restrictions on tcp_socket write and read, shouldn't those kick in? BTW, what's the difference between connect and name_connect? > 2) Can you provide more details about your configuration and your test > case (e.g. your exact netlabel configuration, the policy package you are > using, the context in which your process runs)? Fedora 12 with latest updates; mls policy package. Base package description says: Based off of reference policy: Checked out revision 2.20090730 Context is user_u:user_r:user_t:s1 I did something like netlabelctl unlbl add default address:0.0.0.0/0 \ label:system_u:object_r:netlabel_peer_t:s0 I could see the packets on the outgoing interface. Michal Svoboda
Attachment:
pgppmHOgPKjXR.pgp
Description: PGP signature
