LKML Archive on
 help / color / Atom feed
From: Paul Moore <>
To: "Ahmed S. Darwish" <>
Cc: Casey Schaufler <>,,
	LKML <>,, Andrew Morton <>
Subject: Re: [PATCH BUGFIX -rc4] Smack: Respect 'unlabeled' netlabel mode
Date: Sat, 31 May 2008 09:08:59 -0400
Message-ID: <> (raw)
In-Reply-To: <20080531005826.GA6945@ubuntu>

Sorry I'm late to the party ...

On Friday 30 May 2008 8:58:26 pm Ahmed S. Darwish wrote:
> There are two possible solutions in my mind:
> - Using a predefined netlabel domain to denote to unlabeled packets.
>   Defect: May collide with a user chosen label and used to break
> security. Solution: Use a domain name that can't become a label
> (Hackery ?)

>From my understanding of Smack that is what the ambient label does 
currently.  Does this not work correctly for you?

> - I've tried first to use what was done before the 'Smack: unlabeled
> outgoing ambient packets' patch, which honored nltype=unlabeled, but
> ignored netlabel completely:
>   i.e.
>   int rc = 0;
>   if (secattr.flags != NETLBL_SECATTR_NONE)
>        rc = netlbl_sock_setattr(sk, &secattr);
>   return rc
>   Paul, would this be right from a netlabel perspective ?

Well, what are you trying to do (it isn't clear to me from the code 
snippet above)?  The netlbl_sock_setattr() function looks at the 
secattr->domain field and uses the value their to lookup the desired 
labeling protocol (currently either CIPSO or unlabeled) and then the 
NetLabel subsystem passes the socket and the secattr information onto 
the specific protocol handler where the secattr->attr information is 
used to assign on-the-wire labels to the socket.

paul moore
linux @ hp

  parent reply index

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-05-30 23:36 Ahmed S. Darwish
2008-05-30 23:10 ` Casey Schaufler
2008-05-31  0:58   ` Ahmed S. Darwish
2008-05-31  0:37     ` Casey Schaufler
2008-05-31 13:08     ` Paul Moore [this message]
2008-05-30 23:57 ` [PATCH BUGFIX -v2 " Ahmed S. Darwish
2008-05-30 23:10   ` Tetsuo Handa
2008-05-30 23:25   ` Andrew Morton
2008-05-31  1:12     ` Ahmed S. Darwish
2008-05-30 23:45   ` Casey Schaufler

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

LKML Archive on

Archives are clonable:
	git clone --mirror lkml/git/0.git
	git clone --mirror lkml/git/1.git
	git clone --mirror lkml/git/2.git
	git clone --mirror lkml/git/3.git
	git clone --mirror lkml/git/4.git
	git clone --mirror lkml/git/5.git
	git clone --mirror lkml/git/6.git
	git clone --mirror lkml/git/7.git
	git clone --mirror lkml/git/8.git
	git clone --mirror lkml/git/9.git
	git clone --mirror lkml/git/10.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 lkml lkml/ \
	public-inbox-index lkml

Example config snippet for mirrors

Newsgroup available over NNTP:

AGPL code for this site: git clone