selinux January 2010 archive
Main Archive Page > Month Archives  > selinux archives
selinux: Re: incoming packets` context

Re: incoming packets` context

From: Stephen Smalley <sds_at_nospam>
Date: Tue Jan 26 2010 - 13:29:58 GMT
To: michel m <>

On Tue, 2010-01-26 at 15:51 +0330, michel m wrote:
> Hi,
> as I noticed, getpeercon() API allows me to have domain of the peer
> connection, but packets received have their own security context which
> are set by iptable rules on the peer side. how can I get arriving
> packets` context using libselinux?

iptables secmark labels are local-only; they are not passed across the wire. They are only used internally for network access control checks.

In contrast, labeled networking (netlabel or labeled ipsec) conveys the security context across the wire, and that security context is exposed to userspace via getpeercon(3) for stream sockets and via IP_PASSEC/SCM_SECURITY for dgram sockets. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to with the words "unsubscribe selinux" without quotes as the message.