[redhat-lspp] Labeled networking MLS constraints?
Paul Moore
paul.moore at hp.com
Wed Oct 18 14:43:10 UTC 2006
Paul Moore wrote:
> Paul Moore wrote:
>
>>Venkat Yekkirala wrote:
>>
>>>Actually, if the incoming SYN can't be received by the listening
>>>socket, the handshake should fail at that point in time (as enforced
>>>in selinux_sock_rcv_skb). No child sock should be created. Have you
>>>noticed a different behavior?
>>
>>I thought there was part of the initial handshake that would get skipped over by
>>sock_rcv_skb() because either skb->sk_socket was NULL or the socket didn't have
>>a SID assigned yet. If that isn't the case then I think Klaus is you're new
>>best friend :)
>>
>
> Ungh, forget what I said above; I was thinking of the behavior before the
> MLSXFRM patches went into the kernel.
>
I just verified that a single level netcat server (had to start the netcat
server in permissive mode) running over a NetLabel connection on a system with
the lspp.52 kernel and the 2.3.19-2 MLS policy will only allow single level
connections. Incoming connections not at the same level will be rejected at the
initial connection request and an ICMP error will be sent to the client per the
CIPSO spec.
Sorry about all that :(
--
paul moore
linux security @ hp
More information about the redhat-lspp
mailing list