From mboxrd@z Thu Jan  1 00:00:00 1970
From: christophe.hauser@supelec.fr (Christophe Hauser)
Date: Thu, 26 Apr 2012 18:12:51 +0200
Subject: Netlabel
Message-ID: <20120426161251.GD23964@Latty>
To: kernelnewbies@lists.kernelnewbies.org
List-Id: kernelnewbies.lists.kernelnewbies.org

Hi all,

is anyone here familiar with Netlabel ? I am trying to label network packets
using CIPSO tags from a LSM module. Rather than using the Netlink interface to
configure Netlabel from userspace, I try to setup everything from kernelspace.
The way I initialize netlabel is similar to what smack does in smk_cipso_doi()
(security/smack/smackfs.c).

What I am trying to do is the following :
- no packet should ever get dropped
- unlabeled packets can stay unlabeled, I don't need to assign them any DOI
- labeled packets carry information that is only useful to my LSM module
  (bitmaps)

Now, everytime I label a socket, packets get dropped. I read in the RFC about
configuration settings such as HOST_LABEL_MAX and so on, but as far as I
understand, it is up to the module itself to make such verifications. Is
netlabel enforcing any sort of policy here ? Is there anyway I can configure
netlabel to never drop packets ?

Kind regards,
-- 
Christophe