Christopher J. PeBenito wrote: > On Fri, 2006-10-06 at 10:10 -0400, Paul Moore wrote: > >>Christopher J. PeBenito wrote: >> >>>On Tue, 2006-10-03 at 21:54 -0500, Venkat Yekkirala wrote: >>> >>> >>>>FYI- I have posted the following patches separate from this one. >>>> >>>>1. A patch to address the "leask" issue. Once verified, it needs >>>>to be rolled in with James' patch and sent on after verification. >>>> >>>>2. A fix for flow_in and flow_out where we were using the unlabeled >>>> init sid. We would now use a new network_t with a range of (s0-s15...) >>>> to allow for mls traffic to flow out/in, in the absence of explicit >>>> secmark >>>> rules. >>>> >>>> >>>>The following is a sample patch for networking using the new controls >>>>in conjunction with secmark. >>>> >>>>NOTE FOR JOSHUA: This patch also defines the constraints to force context >>>>equality for association:sendto. >>> >>>I'm starting a labeled networking branch of refpolicy to work with this. >> >>Is this available yet? If so, how do I got about getting a copy to take a >>look? > > Yes, however it doesn't have anything interesting yet, just the flow_in > and flow_out perms. > > svn co http://oss.tresys.com/repos/refpolicy/branches/labeled-networking-2029 > refpolicy
Okay, thanks. >>>I'm waiting until the dust settles before adding TE rules, but I have >>>some questions: >> >>Now that things are starting to calm down a bit I'm trying to get a chance to >>look at the current policy and how it affects NetLabel. In the secid case I >>believe NetLabel can just ride on the back of the policy work you and Venkat >>are >>discussing, however, if the reference policy is also going to support the >>network compatability mode I suspect there will need to be some changes to >>allow >>NetLabel'd traffic to work. >> >>In the network compatability mode there is really only one new access check >>for >>NetLabel: > > Changing the behavior of compat_net seems very bad, since the point of > it is compatibility. If we need to update the policy, then that is not > compatibility. I think I misused the network compatability statement, I should have said "In the non secid-reconiliation case". As far as I can tell there are no other users of the "recvfrom" permission so I can't imagine it being that disruptive to existing policy. >>There is also an issue of writing policy for netlabelctl, the NetLabel >>configuration tool. Klaus and I have passed around some simple policy modules >>on the lspp list which have provided policy for netlabelctl. I'm going to try >>and revisit the last version posted and see if it needs to be updated, once it >>is working I would like to try and have it included in the reference policy. >>Would you prefer I post the policy as a standalone policy module or as a patch >>against the reference policy currently in SVN? > > If it makes no changes to other modules, then either way is ok, > otherwise a patch would be better. Use the labeled networking branch > above. Okay, I'll try to put a patch together as soon as the stuff with the lspp.51 kernel is sorted. -- paul moore linux security @ hp -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
