[refpolicy] Turning off unlabeled_t:packet { send recv }

[dwalsh@redhat.com (Daniel J Walsh)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have been fooling around with SECMARK labeling.  And one problem that
I have found is that we don't have a way to turn off the use of the
unlabeled_t packets.  Every domain is allowed to send and recv
unlabeled_t packets.

The way you label a packet is by setting up iptables rules, if iptables
is shut down, we do not want SELinux to break the system by default.

But, in some cases where you want to set up security based on labeled
packets, you do want the packets to be blocked if the firewall goes down.

I was trying to setup an environment where you could label two types of
data intranet, internet.  Then I could assign which domains could talk
to the intranet an which domains can talk to the internet.  If the
iptables rules are removed, I do not want packets to flow to either side.

The mechanism I came up with to do this was to have a module
unlablednet.pp, that you can disable, in order to stop unlabeled_t
packets from being used from confined domains.

Here is the patch I used to make this work.

What do you think of the idea?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkztE1sACgkQrlYvE4MpobNT4gCfTyYe7mV/Ub2pxnAjdAU4cc0k
K+sAnjnUFRcUmm6eZTTeRceHnJb82wEn
=2qA4
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: unlabelednet.patch
Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20101124/49bbc6a5/attachment.pl 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: unlabelednet.patch.sig
Type: application/pgp-signature
Size: 72 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101124/49bbc6a5/attachment.bin