I have another one of those 'Is it normal?' questions.
To begin with my system does not label network packets in any
way, packets are not unlabeled_t, they just seem to be ignored by
LSM. There is no rule of the type 'allow X Y:packet { send recv }'
required, all domains can access the network.
When I introduce just a single iptables rule utilizing SECMARK, say
iptables -A INPUT -t security -i tun0 -j SECMARK system_u:object_r:sec_tun_t:s0
to label all packets coming in at tun0, then suddenly all traffic
on all devices gets labeled. Those which lack an iptables rule
get unlabeled_t. Suddenly all network is locked down and I need
'allow X Y:packet { send recv }' rules in the policy.
Ole
Attachment:
signature.asc
Description: Digital signature
