[refpolicy] MLS policy and networking
David Shifflett
shifflett at nps.edu
Fri Mar 9 16:33:08 CST 2012
Ok, given the below info, I'll re ask my original question.
I don't care about labeling all the network traffic or packets.
I want to label the interface and have the system
enforce the policy based on the process label and the interface label.
If I use semanage to label the eth1 interface s0
and the eth2 interface s1
Why is a process at s1 allowed to access eth1?
I am not in 'compat_net' mode,
so if semanage isn't that right way to label the interface,
should I use SECMARK, or netlabelctl?
BTW, I agree, clear as mud :)
dave
Paul Moore wrote:
<snip>
> * The semanage tools is simply a tool which assigns labels to resources and
> entities on the system. In the case of network related "things" it can assign
> labels to interfaces and proto/port combinations. It is important to note
> that semanage does not label network traffic.
>
> Hopefully that makes it all as clear as mud :)
>
More information about the refpolicy
mailing list