I'm somewhat limited the next few days with just my phone for network access, but the link below has some basic examples. The netlabelctl manpage may also be helpful. Finally, as Stephen already pointed out, the LSPP/audit-test project has some inter-machine CIPSO tests, but you will have to do some digging to get at the configuration examples. * http://www.paul-moore.com/blog/d/2009/02/netlabel-address-selectors.html -- paul moore www.paul-moore.com On November 15, 2016 1:56:22 PM Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote: > On 11/15/2016 10:43 AM, Stephen Smalley wrote: >> On 11/15/2016 01:34 PM, Casey Schaufler wrote: >>> On 11/15/2016 10:14 AM, Stephen Smalley wrote: >>>> On 11/15/2016 12:28 PM, Casey Schaufler wrote: >>>>> I am looking for an SELinux configuration that uses CIPSO. >>>>> Ideally, it would be based on a readily available distro, >>>>> but I'm willing to perform semi-heroic acts if I have too. >>>>> I'm not in a position to develop it myself, nor would that >>>>> really suit my nefarious purposes. Thank you. >>>> Can you clarify what you mean? There is a sample NetLabel configuration >>>> in the selinux-testsuite (in tests/inet_socket/netlabel-load) that >>>> configures full SELinux labeling over loopback connections, used by the >>>> inet_socket tests. And the corresponding SELinux policy rules for those >>>> tests can be found in policy/test_inet_socket.te within the testsuite. >>> That will probably get me started. I'll have a look at the test >>> documentation. I am also looking for a configuration that I can >>> use for exploring a "real" CIPSO environment, where two or more >>> machines are talking to each other using CIPSO. I think that I >>> understand how that is supposed to work, but there's nothing like >>> seeing the packets fly. Is there a case for that in the test suite? >>> Thank you. >> Not in the selinux-testsuite, since it doesn't presently require/expect >> you to set up two different systems. Probably the lspp testsuite or >> Paul Moore's blog or maybe the SELinux Notebook for samples of that kind >> of configuration. Note that in that cross-machine case, CIPSO only >> passes an encoding of the MLS label, not the user:role:type information. > > Yeah, the cross machine MLS only encoding is one of the things > that I'm most interested in examining carefully. I can't help > but think that that is something that could be somewhat tricky > to set up, which is why I'm hoping that there's an example I > can look at and play with. > > _______________________________________________ > Selinux mailing list > Selinux@xxxxxxxxxxxxx > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
