> >>Joe Nall wrote: > >> > >>>If the secid reconciliation patches don't make RH5, will localhost > >>>IP connections have MLS policy applied? > >> > >>Just a second while I get my dead-horse-beating-mallets out of my > >>desk drawer > >>... there we go. > >> > >>NetLabel, which *should* be present in RHEL5 with full support, > >>works without > >>problem over localhost. This means that, if NetLabel is > configured > >>for the > >>sending domain, packets sent to/over/through the localhost > >>interface will carry > >>MLS attributes and will have MLS policy applied as one would expect. > > > > For 240 of the 1024 categories in the current policy :) > > Sheesh, Joe, you always have to be so picky ;) > > > Netlabel/CIPSO is great for talking to other operating systems, but > > if it the _only_ mechanism to label local IP sockets, we > have a problem. > > As it stands, I believe it is the only mechanism able to > label local IP sockets > that is currently in the RHEL5 kernel. One possibile > workaround would be to use > UNIX domain sockets if you know you will be talking to a > process on the local > machine.
It should be possible in theory to setup labeled networking over loopback (would have to first set the disable_xfrm ip_sysctl to 0 for the loopback interface). Even so, getpeercon() is currently broken since it retrieves the context of the SA used by the local socket, as opposed to tracking and returning it from the SA of the peer. And if you do use NetLabel, if I remember correctly, the TE portion comes from the local socket as opposed to saying unlabeled_t (or potentially node, netif Types). Is this still true Paul? (not trying to rake up the issue, just pointing out). -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
