[redhat-lspp] labeled ipsec status

[Joy Latten]

On Mon, 2007-01-08 at 16:01 -0500, Eric Paris wrote:
> On Mon, 2007-01-08 at 15:55 -0500, Paul Moore wrote:
> > On Monday, January 8 2007 3:45 pm, Paul Moore wrote:
> > > On Monday, January 8 2007 3:31 pm, Eric Paris wrote:
> > > > > 3. Toggle to accept or reject unlabeled packets.
> > > > > Dan has completed this. He added a boolean, allow_unlabeled_packets,
> > > > > to selinux policy. Currently, because of a problem in lspp60
> > > > > kernel, boolean does not work. I tested the boolean on
> > > > > upstream kernel from kernel.org, 2.6.20-rc3-git4 and the boolean
> > > > > worked great and as expected. (See #5 below as to why
> > > > > it did not work in lspp60.)
> > > >
> > > > can paul make sure this works for NetLabel as well (since 5 shouldn't be
> > > > applicable to NetLabel)?
> > >
> > > I'll verify that this still works on lspp.60 but I have no reason to
> > > believe it wouldn't.  The way NetLabel allows/denies non-NetLabel packets
> > > is different from IPsec.
> > 
> > I just verified that this still works correctly.  You can test it yourself by 
> > doing the following:
> > 
> > 1. Connect to the machine via the network (ssh, telnet, etc.)
> > 2. Once connected run a command that generates regular output (run 'date' in a 
> > loop)
> > 3. On a console on the machine run the following
> > 
> >    # netlabelctl -p unlbl accept off
> >    <the output on the command from #2 should stop>
> >    # netlabelctl -p unlbl accept on
> >    <the output on the command from #2 should resume, assuming the TCP session 
> > didn't die>
> > 
> > You can check the status of the unlabeled accept flag by running the following 
> > command:
> > 
> >    # netlabelctl -p unlbl list
> 
> Beat me to it.  Does the fact that netlabel and xfrm have different
> mechanisms for accomplishing the same thing change the 'correct' name
> for the boolean?
> 
If I am understanding the question correctly, the boolean that Dan added
will only work for ipsec.