|Main Archive Page > Month Archives > selinux archives|
On Tue, 2010-01-26 at 15:51 +0330, michel m wrote:
> as I noticed, getpeercon() API allows me to have domain of the peer
> connection, but packets received have their own security context which
> are set by iptable rules on the peer side. how can I get arriving
> packets` context using libselinux?
iptables secmark labels are local-only; they are not passed across the wire. They are only used internally for network access control checks.
In contrast, labeled networking (netlabel or labeled ipsec) conveys the security context across the wire, and that security context is exposed to userspace via getpeercon(3) for stream sockets and via IP_PASSEC/SCM_SECURITY for dgram sockets. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to firstname.lastname@example.org with the words "unsubscribe selinux" without quotes as the message.