[redhat-lspp] A quick HOW-TO on using the new CIPSO tag types
Paul Moore
paul.moore at hp.com
Wed Nov 29 18:54:48 UTC 2006
I just posted a set of patches to the netdev and SELinux mailing lists which add
two new CIPSO tag types from the IETF draft. These two new types allow you to
transmit categories greater than 240. See the draft for details:
* http://sourceforge.net/docman/display_doc.php?docid=34650&group_id=174379
For those of you who want to play with the patches you can do so with the
netlabel_tools you currently have; the only change is that instead of always
specifying "tags:1" when adding a CIPSO DOI definition you can now use tag types
"2" and "5", or a combination. Examples below:
* Create a DOI definition using the enumerated tag type
# netlabelctl cipsov4 add pass doi:1 tags:2
* Create a DOI definition using the ranged tag type
# netlabelctl cipsov4 add pass doi:1 tags:5
* Create a DOI definition using multiple tag types
# netlabelctl cipsov4 add pass doi:1 tags:2,5,1
When you specify multiple tag types for a DOI definition NetLabel gives
precedence to the types based on the order in which you supplied them on the
command line. In the example above, "tags:2,5,1", NetLabel will first try to
use tag type "2", then type "5", and finally type "1"; as before, if the MLS
label can not be represented using the current configuration the socket will not
be created.
--
paul moore
linux security @ hp
More information about the redhat-lspp
mailing list