On Mar 24, 2014, at 10:46 AM, Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > On Monday, March 24, 2014 10:26:09 AM Joe Nall wrote: >> If I 'semanage interface -a -t netif_t -r s0-s1 eth1' and >> 'netlabelctl unlbl add interface:eth1 address:1.2.3.4/32 >> label:remote_u:remote_r:router_t:s1' ... > > Don't forget that the 'netlabelctl unlbl add ...' commands only set the label > on *incoming* traffic that isn't otherwise labeled. The static/fallback > labels have no effect on outbound traffic. > >> ... and the kernel needs to send ICMP packets on that interface to 1.2.3.4, >> what should the context of the outbound ICMP packets be? > > What kind of ICMP packets? If it is a ping/echo reply then the label will be > dependent on both the labeled IPsec configuration and the label on the > ping/echo request. Probably 'Destination unreachable'. Forensics were limited since the system was in use by real people :) The question might be better put as 'Are there any circumstances in which the egress is kernel_t:s15:c0.c1023?' joe _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
