On Mon, 2007-01-08 at 16:01 -0500, Eric Paris wrote: > On Mon, 2007-01-08 at 15:55 -0500, Paul Moore wrote: > > On Monday, January 8 2007 3:45 pm, Paul Moore wrote: > > > On Monday, January 8 2007 3:31 pm, Eric Paris wrote: > > > > > 3. Toggle to accept or reject unlabeled packets. > > > > > Dan has completed this. He added a boolean, allow_unlabeled_packets, > > > > > to selinux policy. Currently, because of a problem in lspp60 > > > > > kernel, boolean does not work. I tested the boolean on > > > > > upstream kernel from kernel.org, 2.6.20-rc3-git4 and the boolean > > > > > worked great and as expected. (See #5 below as to why > > > > > it did not work in lspp60.) > > > > > > > > can paul make sure this works for NetLabel as well (since 5 shouldn't be > > > > applicable to NetLabel)? > > > > > > I'll verify that this still works on lspp.60 but I have no reason to > > > believe it wouldn't. The way NetLabel allows/denies non-NetLabel packets > > > is different from IPsec. > > > > I just verified that this still works correctly. You can test it yourself > > by > > doing the following: > > > > 1. Connect to the machine via the network (ssh, telnet, etc.) > > 2. Once connected run a command that generates regular output (run 'date' > > in a > > loop) > > 3. On a console on the machine run the following > > > > # netlabelctl -p unlbl accept off > > <the output on the command from #2 should stop> > > # netlabelctl -p unlbl accept on > > <the output on the command from #2 should resume, assuming the TCP > > session > > didn't die> > > > > You can check the status of the unlabeled accept flag by running the > > following > > command: > > > > # netlabelctl -p unlbl list > > Beat me to it. Does the fact that netlabel and xfrm have different > mechanisms for accomplishing the same thing change the 'correct' name > for the boolean? > If I am understanding the question correctly, the boolean that Dan added will only work for ipsec.
-- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
