Displaying 1 result from an estimated 1 matches for "http_client_packet_t".
2024 Apr 18
1
[Bug 1749] New: netfilter/nftables secmark support limited to 255 bytes
...Assignee: netfilter-buglog at lists.netfilter.org
Reporter: joe at nall.com
The kernel and nftables userspace are both limited to 255 byte
(NFT_SECMARK_CTX_MAXLEN) SELinux secmark contexts.
If we start with 44 characters of non category SELinux packet context
system_u:object_r:http_client_packet_t:s10:
we are left with 211 bytes for category bit representation.
If we are using 1024 category bits, it could take 5 bytes for each bit if they
are spread out
c100,c123,c201,...
This only gives us 42 usable category bits worst case.
We have real world SELinux contexts that don't fit in 25...