On Wednesday 14 April 2010 01:34:11 pm Benedict, Phillip M wrote: > Thanks, > > So one more question if you please... > I seem to recall reading something to the effect of Labeled IPSEC only > working between two or more Linux/SELinux systems. Yes, labeled IPsec only works between two SELinux systems running the same, or very similar policies. > Can Labeled IPSEC be configured to apply static labels to incoming > packets? No. > -----Original Message----- > From: Paul Moore [mailto:paul.moore@xxxxxx] > Sent: Wednesday, April 14, 2010 10:31 AM > To: Benedict, Phillip M > Cc: Michal Svoboda; selinux@xxxxxxxxxxxxx > Subject: Re: MLS telnet question > > On Wednesday 14 April 2010 08:23:02 am Benedict, Phillip M wrote: > > Thanks, I will take another look at Netlabel's fallback/static labeling. > > So how can I verify if my kernel (the default RHEL 5.3 kernel 2.6.128) > > has Netlabel support? > > While the RHEL5.x kernels have NetLabel support, it is very basic as it > predates most of the labeled networking improvements that have been made > in the past years. Unfortunately, this means that the fallback/static > peer label feature is not part of RHEL5. > > > Also I currently have separate ssh daemons running at certain > > sensitivities (runcon) and bound to specific IP addresses (separate > > sshd_config files). Will fallback labeling impact my ssh setup? > > You'll need to be more specific about what you mean by "impact". > > Will NetLabel affect how you bind the multiple SSH daemons? No. Will > NetLabel affect how the SSH daemons are labeled? No. Will NetLabel allow > you to assign peer labels to incoming SSH traffic? Yes. Will this mean > I'll need to change my SELinux policy to add the necessary controls? It > depends. > > > -----Original Message----- > > From: Paul Moore [mailto:paul.moore@xxxxxx] > > Sent: Tuesday, April 13, 2010 5:55 PM > > To: Benedict, Phillip M > > Cc: Michal Svoboda; selinux@xxxxxxxxxxxxx > > Subject: Re: MLS telnet question > > > > On Tuesday 13 April 2010 12:42:36 pm Michal Svoboda wrote: > > > Benedict, Phillip M wrote: > > > > The network does not carry any cipso data for evaluation by my > > > > server, so I don’t think I can use netlabel. > > > > > > You can use the fallback label feature that can assign labels > > > statically per remote IP. > > > > NetLabel fallback/static label example configuration: > > * http://paulmoore.livejournal.com/1758.html > > -- > paul moore > linux @ hp -- paul moore linux @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
