From: dwalsh@redhat.com (Daniel J Walsh) Date: Wed, 24 Nov 2010 08:30:04 -0500 Subject: [refpolicy] Turning off unlabeled_t:packet { send recv } Message-ID: <4CED135C.4040304@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have been fooling around with SECMARK labeling. And one problem that I have found is that we don't have a way to turn off the use of the unlabeled_t packets. Every domain is allowed to send and recv unlabeled_t packets. The way you label a packet is by setting up iptables rules, if iptables is shut down, we do not want SELinux to break the system by default. But, in some cases where you want to set up security based on labeled packets, you do want the packets to be blocked if the firewall goes down. I was trying to setup an environment where you could label two types of data intranet, internet. Then I could assign which domains could talk to the intranet an which domains can talk to the internet. If the iptables rules are removed, I do not want packets to flow to either side. The mechanism I came up with to do this was to have a module unlablednet.pp, that you can disable, in order to stop unlabeled_t packets from being used from confined domains. Here is the patch I used to make this work. What do you think of the idea? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkztE1sACgkQrlYvE4MpobNT4gCfTyYe7mV/Ub2pxnAjdAU4cc0k K+sAnjnUFRcUmm6eZTTeRceHnJb82wEn =2qA4 -----END PGP SIGNATURE----- -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: unlabelednet.patch Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20101124/49bbc6a5/attachment.pl -------------- next part -------------- A non-text attachment was scrubbed... Name: unlabelednet.patch.sig Type: application/pgp-signature Size: 72 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101124/49bbc6a5/attachment.bin