Problems with NetLabel's Native SELinux Labeling in 2.6.28
One of the new features added in Linux 2.6.28 was the ability to send full SELinux labels/contexts over local connections using NetLabel. Unfortunately a bug was recently discovered in how NetLabel applies on-the-wire security labels to responses of incoming TCP connections which significantly affects the native labeling added in 2.6.28. The bug has likely been present since 2.6.25 (I haven't verified this yet) and only affects the on-the-wire label of packets sent by a TCP application which accepts incoming connections. Because of this I'm going to refrain from posting the How-To on how to make use of the new native labeling capabilities until the bug is fixed.
Patches are currently under development which should solve this issue and I expect the fix to be included in the 2.6.30 release of the Linux Kernel. Once the issue has been resolved in the 2.6.30 release candidates I will work on developing a set of patches to address the problems in the stable kernel trees (2.6.27 and 2.6.28 at the time of this writing) but that will likely lag the mainline fix by a week or two due to the re-engineering needed for the stable trees.
Sorry about this; I hope to have it fixed soon, in the meantime I ask for your patience.
Patches are currently under development which should solve this issue and I expect the fix to be included in the 2.6.30 release of the Linux Kernel. Once the issue has been resolved in the 2.6.30 release candidates I will work on developing a set of patches to address the problems in the stable kernel trees (2.6.27 and 2.6.28 at the time of this writing) but that will likely lag the mainline fix by a week or two due to the re-engineering needed for the stable trees.
Sorry about this; I hope to have it fixed soon, in the meantime I ask for your patience.