[refpolicy] MLS policy and networking

All of lore.kernel.org
 help / color / mirror / Atom feed

From: shifflett@nps.edu (David Shifflett)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] MLS policy and networking
Date: Fri, 9 Mar 2012 14:33:08 -0800	[thread overview]
Message-ID: <4F5A8524.8020507@nps.edu> (raw)
In-Reply-To: <4257537.7ZZEJ7UAa5@sifl>

Ok, given the below info, I'll re ask my original question.

I don't care about labeling all the network traffic or packets.
I want to label the interface and have the system
enforce the policy based on the process label and the interface label.

If I use semanage to label the eth1 interface s0
and the eth2 interface s1

Why is a process at s1 allowed to access eth1?

I am not in 'compat_net' mode,
so if semanage isn't that right way to label the interface,
should I use SECMARK, or netlabelctl?

BTW, I agree, clear as mud :)

dave

Paul Moore wrote:
<snip>
> * The semanage tools is simply a tool which assigns labels to resources and 
> entities on the system.  In the case of network related "things" it can assign 
> labels to interfaces and proto/port combinations.  It is important to note 
> that semanage does not label network traffic.
> 
> Hopefully that makes it all as clear as mud :)
>

next prev parent reply	other threads:[~2012-03-09 22:33 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-02-28 22:07 [refpolicy] MLS policy and networking David Shifflett
2012-03-05 19:06 ` David Shifflett
2012-03-06 13:27   ` Christopher J. PeBenito
2012-03-08 18:30 ` Paul Moore
2012-03-08 19:19   ` David Shifflett
2012-03-09 20:43     ` Paul Moore
2012-03-09 22:33       ` David Shifflett [this message]
2012-03-12 13:30         ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4F5A8524.8020507@nps.edu \
    --to=shifflett@nps.edu \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.