[redhat-lspp] Labeling an interface

Stephen Smalley sds at tycho.nsa.gov
Thu May 31 17:15:39 UTC 2007


On Thu, 2007-05-31 at 10:58 -0500, Joe Nall wrote:
> I would like to label an ethernet interface so that all of the  
> inbound connections are labeled with a range.
> 
> semanage interface -a -t netif_t --range S-S eth1
> 
> succeeds, but getpeercon fails with "Protocol not available"
> 
> Is there any way to do this with what is in evaluation?

getpeercon() only returns a context if a labeled networking mechanism
was used; we don't implicitly convey the netif label or secmark label to
it.  So if you want a default labeling behavior, that has to be done in
your application, e.g. the application would fall back to some default
if getpeercon() failed.

-- 
Stephen Smalley
National Security Agency




More information about the redhat-lspp mailing list