• Paul Moore's avatar
    SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel · 9faf65fb
    Paul Moore authored
    These changes will make NetLabel behave like labeled IPsec where there is an
    access check for both labeled and unlabeled packets as well as providing the
    ability to restrict domains to receiving only labeled packets when NetLabel
    is in use.  The changes to the policy are straight forward with the
    following necessary to receive labeled traffic (with SECINITSID_NETMSG
    defined as "netlabel_peer_t"):
    
     allow mydom_t netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
    
    The policy for unlabeled traffic would be:
    
     allow mydom_t unlabeled_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
    
    These policy changes, as well as more general NetLabel support, are included
    in the SELinux Reference Policy SVN tree, r2352 or later.  Users who enable
    NetLabel support in the kernel are strongly encouraged to upgrade their
    policy to avoid network problems.
    Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
    Signed-off-by: default avatarJames Morris <jmorris@namei.org>
    9faf65fb
netlabel.c 9.58 KB