On Wed, 2006-10-04 at 12:41 -0500, Klaus Weidner wrote: > On Wed, Oct 04, 2006 at 11:20:32AM -0400, Linda Knippers wrote: > > Thanks for the reminder about that thread. > > https://www.redhat.com/archives/redhat-lspp/2006-August/msg00008.html > > > > I didn't really see a conclusion though. Dan was waiting to hear from > > Steve. Steve didn't like it for the reasons I mentioned above. Were > > the auditallows added to the MLS policy? Did anyone create a module? > > Yes, it's part of the "lspp_policy" module included in the kickstart > config RPM I posted yesterday. > > This reminds me - can we assume that the setsocketcreate and > setipccreate attributes will remain unimplemented for RHEL5? If they get > added at the last minute the people who write the tests would get very > unhappy.
sockcreate was added in 2.6.18, and thus should be present in the RHEL5 kernel. ipccreate was not upstreamed due to lack of a user so far. The actual permission is setsockcreate. But no one submitted a policy patch to define it. Eric? > > -Klaus > > policy_module(lspp_policy,1.0) > > gen_require(` > attribute domain; > ') > > # Audit setting of security relevant process attributes > # These settings are OPTIONAL > auditallow domain self:process setcurrent; > auditallow domain self:process setexec; > auditallow domain self:process setfscreate; > #auditallow domain self:process setsocketcreate; # FIXME > #auditallow domain self:process setipccreate; # FIXME -- Stephen Smalley National Security Agency -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
