[redhat-lspp] labeled ipsec status
Eric Paris
eparis at redhat.com
Mon Jan 8 21:01:48 UTC 2007
On Mon, 2007-01-08 at 15:55 -0500, Paul Moore wrote:
> On Monday, January 8 2007 3:45 pm, Paul Moore wrote:
> > On Monday, January 8 2007 3:31 pm, Eric Paris wrote:
> > > > 3. Toggle to accept or reject unlabeled packets.
> > > > Dan has completed this. He added a boolean, allow_unlabeled_packets,
> > > > to selinux policy. Currently, because of a problem in lspp60
> > > > kernel, boolean does not work. I tested the boolean on
> > > > upstream kernel from kernel.org, 2.6.20-rc3-git4 and the boolean
> > > > worked great and as expected. (See #5 below as to why
> > > > it did not work in lspp60.)
> > >
> > > can paul make sure this works for NetLabel as well (since 5 shouldn't be
> > > applicable to NetLabel)?
> >
> > I'll verify that this still works on lspp.60 but I have no reason to
> > believe it wouldn't. The way NetLabel allows/denies non-NetLabel packets
> > is different from IPsec.
>
> I just verified that this still works correctly. You can test it yourself by
> doing the following:
>
> 1. Connect to the machine via the network (ssh, telnet, etc.)
> 2. Once connected run a command that generates regular output (run 'date' in a
> loop)
> 3. On a console on the machine run the following
>
> # netlabelctl -p unlbl accept off
> <the output on the command from #2 should stop>
> # netlabelctl -p unlbl accept on
> <the output on the command from #2 should resume, assuming the TCP session
> didn't die>
>
> You can check the status of the unlabeled accept flag by running the following
> command:
>
> # netlabelctl -p unlbl list
Beat me to it. Does the fact that netlabel and xfrm have different
mechanisms for accomplishing the same thing change the 'correct' name
for the boolean?
More information about the redhat-lspp
mailing list