Netlabel

[Christophe Hauser]

Hi all,

is anyone here familiar with Netlabel ? I am trying to label network packets
using CIPSO tags from a LSM module. Rather than using the Netlink interface to
configure Netlabel from userspace, I try to setup everything from kernelspace.
The way I initialize netlabel is similar to what smack does in smk_cipso_doi()
(security/smack/smackfs.c).

What I am trying to do is the following :
- no packet should ever get dropped
- unlabeled packets can stay unlabeled, I don't need to assign them any DOI
- labeled packets carry information that is only useful to my LSM module
  (bitmaps)

Now, everytime I label a socket, packets get dropped. I read in the RFC about
configuration settings such as HOST_LABEL_MAX and so on, but as far as I
understand, it is up to the module itself to make such verifications. Is
netlabel enforcing any sort of policy here ? Is there anyway I can configure
netlabel to never drop packets ?

Kind regards,
-- 
Christophe