On Thu, Jun 11, 2015 at 10:47 PM, Maurizio Pagani <pag.maurizio@xxxxxxxxx> wrote: > ok, imattached also the community on this thread. >> >> -----Messaggio originale----- >> >> Da: Stephen Smalley [mailto:sds@xxxxxxxxxxxxx] [...] >> >> In any event, SELinux network permission checks have changed over time. >> >> The netif { tcp_recv tcp_send udp_recv udp_send } checks were legacy >> >> network checks that were removed in Linux 2.6.30. netif { ingress >> >> egress } >> >> are newer checks that are only enabled if you have configured peer >> >> labeling >> >> via NetLabel or labeled IPSEC/xfrm. As Stephen already mentioned, recent Linux kernels only listen to the egress/ingress permissions in the netif class. The other permissions might still be marked as "existing" for backwards compatibility, but they are not enforced anymore. See http://lists.openwall.net/netdev/2009/03/27/144 To enable the egress/ingress support however, you need to use either Labeled IPSec or NetLabel/CIPSO support. If you want to use SECMARK, then the controls are not on the netif class, but on the packet classes. Wkr, Sven Vermeulen _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
