[redhat-lspp] [RFC 0/7] Updated NetLabel patch
Klaus Weidner
klaus at atsec.com
Thu Jun 22 05:34:21 UTC 2006
On Wed, Jun 21, 2006 at 11:40:59PM -0400, Paul Moore wrote:
> So, once you boot your kernel you should probably run the following
> commands before you configure the machine to use CIPSO:
>
> # netlabelctl -p mgmt del default
> # netlabelctl -p unlbl accept off <---- OPTIONAL
>
> Let me know if this doesn't solve your problem.
I've tried that - after these commands, it accepts the mgmt command from
the README without complaining, but I can't get any communication to
work in enforcing mode even at the same level (all packets dropped?), and
in nonenforcing mode all connections get accepted even at different
levels. I must be missing something obvious (maybe the appropriate
selinux policy)?
What I'm using to test is:
# on a virtual console
login as root
newrole -r sysadm_r -l s1-s1
nc -l 3333
# on another VT
newrole -r sysadm_r -l s2-s2
nc localhost 3333
(or alternatively using the same level range on both)
Here's the list output, based on the commands from the README:
# netlabelctl -p cipsov4 list doi:1
Configured CIPSOv4 mapping (DOI = 1)
tags (1):
RESTRICTED BITMAP
levels (3):
0 = 0
1 = 1
2 = 2
categories (3):
0 = 0
1 = 1
2 = 2
# netlabelctl -p mgmt list
Configured NetLabel domain mappings (0, not including DEFAULT)
domain: DEFAULT
protocol: CIPSOv4, DOI = 1
-Klaus
More information about the redhat-lspp
mailing list