I would concur this is likely as well. I am sure I have seen it a number of times depending on the scenario. On Mon, Mar 24, 2014 at 12:22 PM, Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > On Monday, March 24, 2014 11:00:25 AM Joe Nall wrote: >> On Mar 24, 2014, at 10:46 AM, Paul Moore <paul@xxxxxxxxxxxxxx> wrote: >> > On Monday, March 24, 2014 10:26:09 AM Joe Nall wrote: >> >> If I 'semanage interface -a -t netif_t -r s0-s1 eth1' and >> >> 'netlabelctl unlbl add interface:eth1 address:1.2.3.4/32 >> >> label:remote_u:remote_r:router_t:s1' ... >> > >> > Don't forget that the 'netlabelctl unlbl add ...' commands only set the >> > label on *incoming* traffic that isn't otherwise labeled. The >> > static/fallback labels have no effect on outbound traffic. >> > >> >> ... and the kernel needs to send ICMP packets on that interface to >> >> 1.2.3.4, >> >> what should the context of the outbound ICMP packets be? >> > >> > What kind of ICMP packets? If it is a ping/echo reply then the label will >> > be dependent on both the labeled IPsec configuration and the label on the >> > ping/echo request. >> >> Probably 'Destination unreachable'. Forensics were limited since the system >> was in use by real people :) > > Assuming NetLabel, a destination unreachable ICMP error should take the label > of the packet that generated the error. If labeled IPsec, it might end up as > kernel_t due to how the flows/routing table work; I would need to go look > closer at the code to say for certain. > >> The question might be better put as 'Are there any circumstances in which >> the egress is kernel_t:s15:c0.c1023?' > > Probably :) > > Basically you'll get the kernel's initial sid, which is kernel_t:s15:c0.c1023 > with the MLS policy, when the traffic is generated by the kernel and there is > no associated peer label. > > -- > paul moore > www.paul-moore.com > > _______________________________________________ > Selinux mailing list > Selinux@xxxxxxxxxxxxx > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
