On Wed, Aug 29, 2012 at 9:02 AM, Ole Kliemann <ole@xxxxxxxxxxxxxxx> wrote:
> I have another one of those 'Is it normal?' questions.
>
> To begin with my system does not label network packets in any
> way, packets are not unlabeled_t, they just seem to be ignored by
> LSM. There is no rule of the type 'allow X Y:packet { send recv }'
> required, all domains can access the network.
>
> When I introduce just a single iptables rule utilizing SECMARK, say
>
> iptables -A INPUT -t security -i tun0 -j SECMARK system_u:object_r:sec_tun_t:s0
>
> to label all packets coming in at tun0, then suddenly all traffic
> on all devices gets labeled. Those which lack an iptables rule
> get unlabeled_t. Suddenly all network is locked down and I need
> 'allow X Y:packet { send recv }' rules in the policy.
>
> Ole
Yes, that is expected. The secmark packet are only applied if you
have defined at least one iptables secmark rule. The labeled
networking peer checks are similar; they are only applied if you
configure network labeling (NetLabel or labeled IPSEC). There was
recent discussion on list of whether this was desirable behavior (by
Chris PeBenito), and I think he has posted some patches to make this a
policy option as to whether or not the checks are always applied.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
