Venkat Yekkirala wrote: >>>>Joe Nall wrote: >>>Netlabel/CIPSO is great for talking to other operating systems, but >>>if it the _only_ mechanism to label local IP sockets, we have a problem. >> >>As it stands, I believe it is the only mechanism able to >>label local IP sockets >>that is currently in the RHEL5 kernel. One possibile >>workaround would be to use >>UNIX domain sockets if you know you will be talking to a >>process on the local >>machine. > > It should be possible in theory to setup labeled networking over > loopback (would have to first set the disable_xfrm ip_sysctl to 0 > for the loopback interface). Even so, getpeercon() is currently > broken since it retrieves the context of the SA used by the local > socket, as opposed to tracking and returning it from the SA of > the peer. > > And if you do use NetLabel, if I remember correctly, > the TE portion comes from the local socket as opposed > to saying unlabeled_t (or potentially node, netif Types). > Is this still true Paul? (not trying to rake up the issue, > just pointing out).
Nope, in both the current net-2.6 git tree as well as the latest RHEL5 kernels getpeercon() returns "unlabeled_t" for a NetLabel connection. Patches were posted to the netdev and SELinux lists a week or two ago and accepted shortly afterwards. If anyone is still seeing the older behavior please let me know or post something to the list. -- paul moore linux security @ hp -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
