On 08/25/2014 10:46 AM, Stepan G. Fedorov wrote: >> In this case the incoming packets would be labeled "unlabeled_t", just >> like any other unlabeled data on the system. > > Can you, please tell where exactly I can see this in the linux source > code for better understanding? > secmark or peer label? secmark label: Unless set by net/netfilter/xt_*SECMARK.c, secmark should just be zero (cleared upon skb allocation) and thus will be remapped by security/selinux/ss/sidtab.c:sidtab_search_core() to the UNLABELED initial SID. peer label: security/selinux/hooks.c:selinux_skb_peerlbl_sid() asks the xfrm (ipsec) and netlabel (cipso) subsystems for any labeling information for the packet and then calls security/selinux/ss/services.c:security_net_peersid_resolve() to make the final determination. In the absence of any labeling information, we'll also end up with SECSID_NULL i.e. 0 and then the sidtab will again remap it to the UNLABELED initial SID. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
