From: shifflett@nps.edu (David Shifflett)
Date: Fri, 9 Mar 2012 14:33:08 -0800
Subject: [refpolicy] MLS policy and networking
In-Reply-To: <4257537.7ZZEJ7UAa5@sifl>
References: <4F4D5038.3090001@nps.edu> <1513158.4FbGMoRZ6H@sifl>
	<4F590648.5010305@nps.edu> <4257537.7ZZEJ7UAa5@sifl>
Message-ID: <4F5A8524.8020507@nps.edu>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Ok, given the below info, I'll re ask my original question.

I don't care about labeling all the network traffic or packets.
I want to label the interface and have the system
enforce the policy based on the process label and the interface label.

If I use semanage to label the eth1 interface s0
and the eth2 interface s1

Why is a process at s1 allowed to access eth1?

I am not in 'compat_net' mode,
so if semanage isn't that right way to label the interface,
should I use SECMARK, or netlabelctl?


BTW, I agree, clear as mud :)


dave

Paul Moore wrote:
<snip>
> * The semanage tools is simply a tool which assigns labels to resources and 
> entities on the system.  In the case of network related "things" it can assign 
> labels to interfaces and proto/port combinations.  It is important to note 
> that semanage does not label network traffic.
> 
> Hopefully that makes it all as clear as mud :)
>