[redhat-lspp] labeled ipsec status
Paul Moore
paul.moore at hp.com
Mon Jan 8 20:55:07 UTC 2007
On Monday, January 8 2007 3:45 pm, Paul Moore wrote:
> On Monday, January 8 2007 3:31 pm, Eric Paris wrote:
> > > 3. Toggle to accept or reject unlabeled packets.
> > > Dan has completed this. He added a boolean, allow_unlabeled_packets,
> > > to selinux policy. Currently, because of a problem in lspp60
> > > kernel, boolean does not work. I tested the boolean on
> > > upstream kernel from kernel.org, 2.6.20-rc3-git4 and the boolean
> > > worked great and as expected. (See #5 below as to why
> > > it did not work in lspp60.)
> >
> > can paul make sure this works for NetLabel as well (since 5 shouldn't be
> > applicable to NetLabel)?
>
> I'll verify that this still works on lspp.60 but I have no reason to
> believe it wouldn't. The way NetLabel allows/denies non-NetLabel packets
> is different from IPsec.
I just verified that this still works correctly. You can test it yourself by
doing the following:
1. Connect to the machine via the network (ssh, telnet, etc.)
2. Once connected run a command that generates regular output (run 'date' in a
loop)
3. On a console on the machine run the following
# netlabelctl -p unlbl accept off
<the output on the command from #2 should stop>
# netlabelctl -p unlbl accept on
<the output on the command from #2 should resume, assuming the TCP session
didn't die>
You can check the status of the unlabeled accept flag by running the following
command:
# netlabelctl -p unlbl list
--
paul moore
linux security @ hp
More information about the redhat-lspp
mailing list