Netlabel should be using SECSID_NULL for packets which have no known label. Not the explicit SECSID_UNLABELED
in kernel-2.6.18-1.2725.el5
*** Bug 209555 has been marked as a duplicate of this bug. ***
I think something may have been lost in translation, NetLabel should be using SECINITSID_UNLABELED not SECINITSID_NETMSG; at least this is what the patches accepted for 2.6.19 change (as well as the patches for RHEL5 I believe, I just wanted to clarify this BZ entry).
Has someone verified the right thing is happening in the latest RHEL5 code? There's no patch attached to this bug and no testing results so I'm not really sure where we stand.
There is no way to determine from a running system if the patch is applied or not as both SECINITSID_UNLABELED and SECINITSID_NETMSG have the same SELinux context in all of the SELinux policies that are in RHEL5. The kernel source must be verified to ensure the patch has been applied. A pointer to the patch can be found in BZ 209555.
Patch confirmed with 2.6.18-8.el5.