Re: semanage interface has no effect

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Stephen Smalley <sds@tycho.nsa.gov>
To: "Stepan G. Fedorov" <stfedorov@gmail.com>,
	Paul Moore <paul@paul-moore.com>
Cc: Selinux@tycho.nsa.gov
Subject: Re: semanage interface has no effect
Date: Mon, 25 Aug 2014 11:21:00 -0400	[thread overview]
Message-ID: <53FB545C.3080106@tycho.nsa.gov> (raw)
In-Reply-To: <53FB4C5A.2030503@gmail.com>

On 08/25/2014 10:46 AM, Stepan G. Fedorov wrote:
>> In this case the incoming packets would be labeled "unlabeled_t", just
>> like any other unlabeled data on the system. 
> 
> Can you, please tell where exactly I can see this in the linux source
> code for better understanding?
> 

secmark or peer label?

secmark label:  Unless set by net/netfilter/xt_*SECMARK.c, secmark
should just be zero (cleared upon skb allocation) and thus will be
remapped by security/selinux/ss/sidtab.c:sidtab_search_core() to the
UNLABELED initial SID.

peer label:  security/selinux/hooks.c:selinux_skb_peerlbl_sid() asks the
xfrm (ipsec) and netlabel (cipso) subsystems for any labeling
information for the packet and then calls
security/selinux/ss/services.c:security_net_peersid_resolve() to make
the final determination.  In the absence of any labeling information,
we'll also end up with SECSID_NULL i.e. 0 and then the sidtab will again
remap it to the UNLABELED initial SID.

     prev parent reply	other threads:[~2014-08-25 15:21 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-08-25 11:11 semanage interface has no effect Stepan G. Fedorov
2014-08-25 12:18 ` Dominick Grift
2014-08-25 13:10 ` Stephen Smalley
2014-08-25 14:00   ` Stepan G. Fedorov
2014-08-25 14:30     ` Paul Moore
2014-08-25 14:36       ` Stephen Smalley
2014-08-25 14:57         ` Stepan G. Fedorov
2014-08-25 15:46           ` Christopher J. PeBenito
2014-08-25 14:46       ` Stepan G. Fedorov
2014-08-25 15:21         ` Stephen Smalley [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=53FB545C.3080106@tycho.nsa.gov \
    --to=sds@tycho.nsa.gov \
    --cc=Selinux@tycho.nsa.gov \
    --cc=paul@paul-moore.com \
    --cc=stfedorov@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.