Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756109AbYJFXGG (ORCPT ); Mon, 6 Oct 2008 19:06:06 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1753099AbYJFXFy (ORCPT ); Mon, 6 Oct 2008 19:05:54 -0400 Received: from rv-out-0506.google.com ([209.85.198.230]:47503 "EHLO rv-out-0506.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752842AbYJFXFx (ORCPT ); Mon, 6 Oct 2008 19:05:53 -0400 DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=p/9OpEIBHMKqa1XvsZi4WyzoWcF0b8li0jeGGFDCJUTr4Usa+XFHb5kTt7k48g8fgU FxUk6mSanXGQCAbZ15NPpwu2fjGEeOQyCVDb5vxblbO/V71gGzToJlcBYMTdVdz+6v0t G8775VLiC08+DqCJDCLJMh9PB3v2bwwFogWJE= Message-ID: <1865922a0810061605j54e59276mab631ec1b14d49b5@mail.gmail.com> Date: Tue, 7 Oct 2008 01:05:51 +0200 From: "Ahmed S. Darwish" To: "Tilman Baumann" Subject: Re: SMACK netfilter smacklabel socket match Cc: "Casey Schaufler" , Linux-Kernel , linux-security-module@vger.kernel.org In-Reply-To: <48EA0B30.6080907@collax.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <48DBC9A1.20900@collax.com> <48DDBE2E.3010006@schaufler-ca.com> <48E1007F.4000400@collax.com> <48E19D01.9050809@schaufler-ca.com> <48E35F36.4030203@collax.com> <48E3957A.7040201@schaufler-ca.com> <48E3AB97.8020305@collax.com> <48E3BFDE.7010300@schaufler-ca.com> <48EA0B30.6080907@collax.com> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1200 Lines: 35 Hi Tilman, On Mon, Oct 6, 2008 at 2:57 PM, Tilman Baumann wrote: > If I set /smack/nltype to 'unlabeled' I have effectively shut off the > network. ... > This might work well in trusted networks. > But Internet is untrusted and needs to work too. At least in the most real > world scenarios. :) > > If i set /smack/nltype to 'unlabled' i don't even get SYN packets out. > (operation not permitted) > > That's probably a bug, but I think the "fix" is to disable the ability to > set the nltype to anything other than CIPSO at least for the time being. Check this patch: http://article.gmane.org/gmane.linux.network/95294/match= As far as I can remember, it does exactly what you're asking for. There have been some arguments against it, but at least you can get the idea and _try_ to discuss/enhance it further. Regards -- Ahmed S. Darwish Homepage: http://darwish.07.googlepages.com Blog: http://darwish-07.blogspot.com -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/