On Monday, May 14, 2012 04:42:06 PM Chad Hanson wrote:
> > > >> * during boot and shutdown you can guarantee no network access
> > > >
> > > > You can do this through a variety of other mechanisms that have
> > > > nothing to do with secmark labels.
> > >
> > > No, you can't.
> >
> > Yes, you can. See "netif:{ ingress egress }".
>
> This assumes you have netlabel rules enabled.
Look at the code a bit closer; it works with both labeled IPsec and NetLabel.
Regardless, I see your point.
> I would like to see the configuration option noted as a possibility in
> netlbl_enabled() to be 1 without a kernel patch. This then would assure that
> there are always netif checks are active in the absence of secmark rules is
> this is desired.
*If* we were to do something to enable the per-packet access checks regardless
of configuration I agree, we should enable the secmark checks and the peer
label checks.
--
paul moore
www.paul-moore.com
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
