[redhat-lspp] Labeling an interface
Stephen Smalley
sds at tycho.nsa.gov
Thu May 31 18:21:05 UTC 2007
On Thu, 2007-05-31 at 13:12 -0500, Joe Nall wrote:
> On May 31, 2007, at 12:15 PM, Stephen Smalley wrote:
>
> > On Thu, 2007-05-31 at 10:58 -0500, Joe Nall wrote:
> >> I would like to label an ethernet interface so that all of the
> >> inbound connections are labeled with a range.
> >>
> >> semanage interface -a -t netif_t --range S-S eth1
> >>
> >> succeeds, but getpeercon fails with "Protocol not available"
> >>
> >> Is there any way to do this with what is in evaluation?
> >
> > getpeercon() only returns a context if a labeled networking mechanism
> > was used; we don't implicitly convey the netif label or secmark
> > label to
> > it. So if you want a default labeling behavior, that has to be
> > done in
> > your application, e.g. the application would fall back to some default
> > if getpeercon() failed.
>
> Can you point me at the API to query the netif label?
man semanage_iface
You can see example usage in the semanage python code itself, and
exercise it via e.g.
semanage interface -l
Let us know (on selinux list) if you encounter problems, as that code
isn't widely used.
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list