James Morris wrote: > On Fri, 29 Sep 2006, Paul Moore wrote: >>>... or you get no CIPSO label (e.g. ICMP from intermediate router) ... >> >>If there is no packet label that NetLabel recognizes and NetLabel is >>configured to allow unlabeled traffic then the NetLabel SID generated in >>step #1 above would be 0. > > > Well, conntrack will say that this packet is related to the connection > and CONNSECMARK will restore the secmark label to it (i.e. it'll have the > same secmark as the initial syn packet). But, no CIPSO label. I guess > this needs to be considered in any case, secmark or not.
Yep, I would categorize this case as 'external label not present, internal label present'. I believe the code as described would do the right thing in allowing admins to control this, it's just up to how you configure the system and what your policy dictates. -- paul moore linux security @ hp - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
