NetLabel Address Selectors Explained
One of the biggest differences between NetLabel and the labeled networking mechanisms of existing Trusted OSs is how outbound traffic is selected for labeling. Ever since NetLabel was first introduced in kernel 2.6.19 the on-the-wire outbound labeling protocol was determined by the label of the sending application's socket. Despite the departure
( Read more... )
I read the netlabelctl-linux man page,below list is the website:
http://linux.die.net/man/8/netlabelctl
And at the same time,I read another website you wrote,below list is the website:
http://paulmoore.livejournal.com/2884.html
Now,I have some questions:
1.from the first website, I don't understand the domain mapping,what is the LSM domain? The lsm domain is the application's domain?
2.could you please give me some explains about the beblow commands:
# netlabelctl map add domain:lsm_domain protocol:cipsov4,8
you said above command is that:Add a domain mapping so that all outgoing packets sent from the "lsm_domain" will be labeled according to the CIPSO/IPv4 protocol using DOI 8.
I want to ask the blue code,what is it in "lsm_domain",I mean that "lsm_domain" contains what application?
3.form the second website,I want to ask the below command:
# netlabelctl map add domain:apache_t protocol:cipsov4,16
in selinux,the domain apache_t is the apache application, However,in smack,can I use the domain apache_t as the apache application?
Thank you very much.By the way I am sorry for my poor english.:)
Wishes you reply!
Reply
Some answers that should help:
1. The LSM "domain" is a term that has a different meaning depending on the LSM; for SELinux the "domain" would be the SELinux type or domain, e.g. unconfined_t.
2. I think the answer in #1 above should help answer this question.
3. Smack does things a bit differently than SELinux when it comes to NetLabel. When using Smack you should refrain from using the netlabelctl tool as the Smack kernel will handle all of the NetLabel configuration for you.
Good luck!
Reply
Leave a comment