On Monday, March 24, 2014 11:00:25 AM Joe Nall wrote: > On Mar 24, 2014, at 10:46 AM, Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > > On Monday, March 24, 2014 10:26:09 AM Joe Nall wrote: > >> If I 'semanage interface -a -t netif_t -r s0-s1 eth1' and > >> 'netlabelctl unlbl add interface:eth1 address:1.2.3.4/32 > >> label:remote_u:remote_r:router_t:s1' ... > > > > Don't forget that the 'netlabelctl unlbl add ...' commands only set the > > label on *incoming* traffic that isn't otherwise labeled. The > > static/fallback labels have no effect on outbound traffic. > > > >> ... and the kernel needs to send ICMP packets on that interface to > >> 1.2.3.4, > >> what should the context of the outbound ICMP packets be? > > > > What kind of ICMP packets? If it is a ping/echo reply then the label will > > be dependent on both the labeled IPsec configuration and the label on the > > ping/echo request. > > Probably 'Destination unreachable'. Forensics were limited since the system > was in use by real people :) Assuming NetLabel, a destination unreachable ICMP error should take the label of the packet that generated the error. If labeled IPsec, it might end up as kernel_t due to how the flows/routing table work; I would need to go look closer at the code to say for certain. > The question might be better put as 'Are there any circumstances in which > the egress is kernel_t:s15:c0.c1023?' Probably :) Basically you'll get the kernel's initial sid, which is kernel_t:s15:c0.c1023 with the MLS policy, when the traffic is generated by the kernel and there is no associated peer label. -- paul moore www.paul-moore.com _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
