|
Hello everyone, I am having a hard time figuring out if what I want to do is possible knowing the way that the MLS policy is designed. Basically I am wondering if it is possible to write a module or do some sort of network labeling to allow a UDP stream
to be sent from a higher level process on an SELinux machine to a lower classification machine (peer-labeled with netlabel). Here is what I am trying to do: s3 process -----> s2 machine (netlabel) I am aware that this goes against the BLP model of no writes from high to low, but I just wanted to verify if it is possible to make and “exception” of sorts with SELinux. I have tried labeling outgoing packets with SECMARK to s2 but it
is still denying the message based on the peer labeling. How do cross domain guards accomplish this since I think some are run on SELinux?
Thanks, Blake |
