On Fri, Sep 25, 2015 at 12:25:03PM -0400, Stephen Smalley wrote: <snip> > > > >>> 4. peers are checked with netlabel, but you only need on peer type > >>> (ie. you can't associate different peer types with different peers) > > > >> peer labeling can be based on labeled IPSEC or netlabel. > >> NetLabel can only pass MLS labels across the network, although it can convey full contexts locally (see the selinux-testsuite for a configured example under tests/inet_socket or the SELinux Notebook for further examples). > >> Labeled IPSEC can pass full labels locally or across the network (ditto). > > > > So i only need a single "peer type" (the one associated with the peer isid) > > Guessing you mean the netmsg isid here; that's for NetLabel only and only to provide a default user/role/type for CIPSO packets. netlabelctl can be configured to specify other fallbacks. > > Thanks a lot. That cleared it up for me. Yes indeed i meant netmsg isid. I basically exposed a macro that allowed one to create additional "peer types" earlier. So i removed that. There is now only one peer type (peer.peer), and that is the one associated with the netmsg isid. Pretty much everything else seems to be in order. Thanks again for your patience and guidance -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF788 Dominick Grift
Attachment:
pgpnkCBFGlDec.pgp
Description: PGP signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
