On 08/25/2014 10:30 AM, Paul Moore wrote: > On Mon, Aug 25, 2014 at 10:00 AM, Stepan G. Fedorov <stfedorov@xxxxxxxxx> wrote: >> 25.08.2014 17:10, Stephen Smalley пишет: >> >>> Legacy network checks are gone; use peer labeling or secmark instead, >>> http://paulmoore.livejournal.com/tag/documentation >> >> >> Thank you for quick reply! >> >> In case of "just installed" system, where no iptables SECMARK rules present, >> and no labeled packets arrive on network interface - what will be selinux >> contexts of all incoming packets? > > In this case the incoming packets would be labeled "unlabeled_t", just > like any other unlabeled data on the system. ...but the new network permission checks will not be applied until/unless you configure secmark or labeled networking. Or set the always_check_network policy capability to 1 for secmark, if your kernel supports that. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
