Re: [PATCH RFC 0/2] stricter MLS policy constraints

[Klaus Weidner <klaus@atsec.com>]

On Wed, Dec 13, 2006 at 03:50:59PM -0500, Paul Moore wrote:
> I did a quick test using the refpolicy from SVN and your patches; the good news
> is that simple tests using netcat worked as expected and there did not appear to
> be any regressions.

Glad to hear that, thanks for testing!

> The bad news is that I realized we never added NetLabel receive permissions to
> any of the application domains (try to telnet into a machine with NetLabel);
> only the user domains have the NetLabel receive permissions.  As a result I
> wasn't able to try any more elaborate tests without fixing the policy.  It will
> probably take a little while to get a patch out to address this as there are a
> lot of domains which need to be changed; that said I'm probably about a third of
> the way through at this point.
> 
> In case anyone is interested, the policy changes boil down to the following:
> 
>  ifdef(`enable_mls',`
>         corenet_tcp_recv_netlabel(app_domain_t)
>         corenet_udp_recv_netlabel(app_domain_t)
>  ')

Have you considered adding those lines to the existing interfaces in
policy/modules/kernel/corenetwork.if.in instead? For example, telnetd
currently uses corenet_tcp_sendrecv_all_if(telnetd_t), and you could make
that interface provide the needed netlabel rights also.

Do we need something equivalent for labeled IPSEC?

-Klaus

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.