* Label Translation on Fedora 9 @ 2008-11-03 11:49 Andy Warner 2008-11-03 13:29 ` Stephen Smalley 0 siblings, 1 reply; 15+ messages in thread From: Andy Warner @ 2008-11-03 11:49 UTC (permalink / raw) To: selinux [-- Attachment #1: Type: text/plain, Size: 651 bytes --] I am running Fedora 9 with the MLS policy and see no evidence that the label translation is enabled. I am using the default setrans.conf and the "disable=1" flag is commented out. Using the selinux_trans_to_raw (e.g., with a SystemHigh level) produces the exact same label string as passed in which will not pass validation (using s15:c0.c1023 will pass validation). Trying id-Z followed by newrole produces: id -Z warner_u:secadm_r:secadm_t:s0-s15:c0.c1023 newrole -l SystemLow-SystemHigh warner_u:secadm_r:secadm_t:SystemLow-SystemHigh is not a valid context Is there something that must be done to activate label translation? thanks Andy [-- Attachment #2: Type: text/html, Size: 908 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Label Translation on Fedora 9 2008-11-03 11:49 Label Translation on Fedora 9 Andy Warner @ 2008-11-03 13:29 ` Stephen Smalley 2008-11-03 13:47 ` Andy Warner 0 siblings, 1 reply; 15+ messages in thread From: Stephen Smalley @ 2008-11-03 13:29 UTC (permalink / raw) To: Andy Warner; +Cc: selinux On Mon, 2008-11-03 at 12:49 +0100, Andy Warner wrote: > I am running Fedora 9 with the MLS policy and see no evidence that the > label translation is enabled. I am using the default setrans.conf and > the "disable=1" flag is commented out. > > Using the selinux_trans_to_raw (e.g., with a SystemHigh level) > produces the exact same label string as passed in which will not pass > validation (using s15:c0.c1023 will pass validation). > > Trying id-Z followed by newrole produces: > id -Z > warner_u:secadm_r:secadm_t:s0-s15:c0.c1023 > > newrole -l SystemLow-SystemHigh > warner_u:secadm_r:secadm_t:SystemLow-SystemHigh is not a valid context > > Is there something that must be done to activate label translation? Label translation is provided by a daemon, mcstrans. yum install mcstrans /sbin/chkconfig mcstrans on /sbin/service mcstrans start -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Label Translation on Fedora 9 2008-11-03 13:29 ` Stephen Smalley @ 2008-11-03 13:47 ` Andy Warner 2008-11-03 13:51 ` Stephen Smalley 0 siblings, 1 reply; 15+ messages in thread From: Andy Warner @ 2008-11-03 13:47 UTC (permalink / raw) To: Stephen Smalley; +Cc: selinux [-- Attachment #1: Type: text/plain, Size: 1386 bytes --] Stephen Smalley wrote: > On Mon, 2008-11-03 at 12:49 +0100, Andy Warner wrote: > >> I am running Fedora 9 with the MLS policy and see no evidence that the >> label translation is enabled. I am using the default setrans.conf and >> the "disable=1" flag is commented out. >> >> Using the selinux_trans_to_raw (e.g., with a SystemHigh level) >> produces the exact same label string as passed in which will not pass >> validation (using s15:c0.c1023 will pass validation). >> >> Trying id-Z followed by newrole produces: >> id -Z >> warner_u:secadm_r:secadm_t:s0-s15:c0.c1023 >> >> newrole -l SystemLow-SystemHigh >> warner_u:secadm_r:secadm_t:SystemLow-SystemHigh is not a valid context >> >> Is there something that must be done to activate label translation? >> > > Label translation is provided by a daemon, mcstrans. > > yum install mcstrans > /sbin/chkconfig mcstrans on > /sbin/service mcstrans start > Thanks. I was not starting the mcstrans service. When I get a translation, it seems odd as follows. without mcstrans: id -Z warner_u:secadm_r:secadm_t:s0-s15:c0.c1023 with mcstrans: id -Z warner_u:secadm_r:secadm_t:SystemLow:SystemLow-SystemHigh Is it expected to have the high end of the range expressed as a range? The translation table has the following relevant entries: s0 SystemLow s0-s15:c0.c1023 SystemLow-SystemHigh [-- Attachment #2: Type: text/html, Size: 1949 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Label Translation on Fedora 9 2008-11-03 13:47 ` Andy Warner @ 2008-11-03 13:51 ` Stephen Smalley 2008-11-03 16:29 ` Paul Moore 0 siblings, 1 reply; 15+ messages in thread From: Stephen Smalley @ 2008-11-03 13:51 UTC (permalink / raw) To: Andy Warner; +Cc: selinux, Daniel J Walsh On Mon, 2008-11-03 at 14:47 +0100, Andy Warner wrote: > > > Stephen Smalley wrote: > > On Mon, 2008-11-03 at 12:49 +0100, Andy Warner wrote: > > > > > I am running Fedora 9 with the MLS policy and see no evidence that the > > > label translation is enabled. I am using the default setrans.conf and > > > the "disable=1" flag is commented out. > > > > > > Using the selinux_trans_to_raw (e.g., with a SystemHigh level) > > > produces the exact same label string as passed in which will not pass > > > validation (using s15:c0.c1023 will pass validation). > > > > > > Trying id-Z followed by newrole produces: > > > id -Z > > > warner_u:secadm_r:secadm_t:s0-s15:c0.c1023 > > > > > > newrole -l SystemLow-SystemHigh > > > warner_u:secadm_r:secadm_t:SystemLow-SystemHigh is not a valid context > > > > > > Is there something that must be done to activate label translation? > > > > > > > Label translation is provided by a daemon, mcstrans. > > > > yum install mcstrans > > /sbin/chkconfig mcstrans on > > /sbin/service mcstrans start > > > > Thanks. I was not starting the mcstrans service. When I get a > translation, it seems odd as follows. > > without mcstrans: > id -Z > warner_u:secadm_r:secadm_t:s0-s15:c0.c1023 > > with mcstrans: > id -Z > warner_u:secadm_r:secadm_t:SystemLow:SystemLow-SystemHigh > > Is it expected to have the high end of the range expressed as a range? > The translation table has the following relevant entries: > s0 SystemLow > s0-s15:c0.c1023 SystemLow-SystemHigh No, that looks wrong to me as well. cc'ing Dan Walsh of Red Hat, who maintains mcstrans. BTW, if you are looking for more complete MLS label translation support, you might try the extended mcstrans posted by Joe Nall. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Label Translation on Fedora 9 2008-11-03 13:51 ` Stephen Smalley @ 2008-11-03 16:29 ` Paul Moore 2008-11-03 20:34 ` Daniel J Walsh 0 siblings, 1 reply; 15+ messages in thread From: Paul Moore @ 2008-11-03 16:29 UTC (permalink / raw) To: Stephen Smalley; +Cc: Andy Warner, selinux, Daniel J Walsh, Joe Nall On Monday 03 November 2008 8:51:49 am Stephen Smalley wrote: > On Mon, 2008-11-03 at 14:47 +0100, Andy Warner wrote: > > Stephen Smalley wrote: > > > On Mon, 2008-11-03 at 12:49 +0100, Andy Warner wrote: > > > > I am running Fedora 9 with the MLS policy and see no evidence > > > > that the label translation is enabled. I am using the default > > > > setrans.conf and the "disable=1" flag is commented out. > > > > > > > > Using the selinux_trans_to_raw (e.g., with a SystemHigh level) > > > > produces the exact same label string as passed in which will > > > > not pass validation (using s15:c0.c1023 will pass validation). > > > > > > > > Trying id-Z followed by newrole produces: > > > > id -Z > > > > warner_u:secadm_r:secadm_t:s0-s15:c0.c1023 > > > > > > > > newrole -l SystemLow-SystemHigh > > > > warner_u:secadm_r:secadm_t:SystemLow-SystemHigh is not a valid > > > > context > > > > > > > > Is there something that must be done to activate label > > > > translation? > > > > > > Label translation is provided by a daemon, mcstrans. > > > > > > yum install mcstrans > > > /sbin/chkconfig mcstrans on > > > /sbin/service mcstrans start > > > > Thanks. I was not starting the mcstrans service. When I get a > > translation, it seems odd as follows. > > > > without mcstrans: > > id -Z > > warner_u:secadm_r:secadm_t:s0-s15:c0.c1023 > > > > with mcstrans: > > id -Z > > warner_u:secadm_r:secadm_t:SystemLow:SystemLow-SystemHigh > > > > Is it expected to have the high end of the range expressed as a > > range? The translation table has the following relevant entries: > > s0 SystemLow > > s0-s15:c0.c1023 SystemLow-SystemHigh > > No, that looks wrong to me as well. cc'ing Dan Walsh of Red Hat, who > maintains mcstrans. > > BTW, if you are looking for more complete MLS label translation > support, you might try the extended mcstrans posted by Joe Nall. What is the status of the patch? I vaguely remember a little bit of discussion/review about the patch but it's not clear to me if it was ever accepted into upstream/Fedora and if it wasn't what the next steps were going to be ... -- paul moore linux @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Label Translation on Fedora 9 2008-11-03 16:29 ` Paul Moore @ 2008-11-03 20:34 ` Daniel J Walsh 2008-11-09 18:26 ` Joe Nall 0 siblings, 1 reply; 15+ messages in thread From: Daniel J Walsh @ 2008-11-03 20:34 UTC (permalink / raw) To: Paul Moore; +Cc: Stephen Smalley, Andy Warner, selinux, Joe Nall -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Paul Moore wrote: > On Monday 03 November 2008 8:51:49 am Stephen Smalley wrote: >> On Mon, 2008-11-03 at 14:47 +0100, Andy Warner wrote: >>> Stephen Smalley wrote: >>>> On Mon, 2008-11-03 at 12:49 +0100, Andy Warner wrote: >>>>> I am running Fedora 9 with the MLS policy and see no evidence >>>>> that the label translation is enabled. I am using the default >>>>> setrans.conf and the "disable=1" flag is commented out. >>>>> >>>>> Using the selinux_trans_to_raw (e.g., with a SystemHigh level) >>>>> produces the exact same label string as passed in which will >>>>> not pass validation (using s15:c0.c1023 will pass validation). >>>>> >>>>> Trying id-Z followed by newrole produces: >>>>> id -Z >>>>> warner_u:secadm_r:secadm_t:s0-s15:c0.c1023 >>>>> >>>>> newrole -l SystemLow-SystemHigh >>>>> warner_u:secadm_r:secadm_t:SystemLow-SystemHigh is not a valid >>>>> context >>>>> >>>>> Is there something that must be done to activate label >>>>> translation? >>>> Label translation is provided by a daemon, mcstrans. >>>> >>>> yum install mcstrans >>>> /sbin/chkconfig mcstrans on >>>> /sbin/service mcstrans start >>> Thanks. I was not starting the mcstrans service. When I get a >>> translation, it seems odd as follows. >>> >>> without mcstrans: >>> id -Z >>> warner_u:secadm_r:secadm_t:s0-s15:c0.c1023 >>> >>> with mcstrans: >>> id -Z >>> warner_u:secadm_r:secadm_t:SystemLow:SystemLow-SystemHigh >>> >>> Is it expected to have the high end of the range expressed as a >>> range? The translation table has the following relevant entries: >>> s0 SystemLow >>> s0-s15:c0.c1023 SystemLow-SystemHigh >> No, that looks wrong to me as well. cc'ing Dan Walsh of Red Hat, who >> maintains mcstrans. >> >> BTW, if you are looking for more complete MLS label translation >> support, you might try the extended mcstrans posted by Joe Nall. > > What is the status of the patch? I vaguely remember a little bit of > discussion/review about the patch but it's not clear to me if it was > ever accepted into upstream/Fedora and if it wasn't what the next steps > were going to be ... > Good question, we have let this slip through the cracks. I would like to replace my library totally with Joe's. The only concern would be to allow people who used my format to convert to the new format if possible or at least document how to do this. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkPYFkACgkQrlYvE4MpobOZRQCfbG2Nk+8sRypiJgSjIATHqLeI jz4An3xTcOjf4ZJpwP2j0PtnM+bPRrR7 =iNCh -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Label Translation on Fedora 9 2008-11-03 20:34 ` Daniel J Walsh @ 2008-11-09 18:26 ` Joe Nall 2008-11-10 15:56 ` Paul Moore 2008-11-12 9:23 ` Russell Coker 0 siblings, 2 replies; 15+ messages in thread From: Joe Nall @ 2008-11-09 18:26 UTC (permalink / raw) To: Daniel J Walsh; +Cc: Paul Moore, Stephen Smalley, Andy Warner, selinux On Nov 3, 2008, at 2:34 PM, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Paul Moore wrote: >> On Monday 03 November 2008 8:51:49 am Stephen Smalley wrote: >>> On Mon, 2008-11-03 at 14:47 +0100, Andy Warner wrote: >>>> Stephen Smalley wrote: >>>>> On Mon, 2008-11-03 at 12:49 +0100, Andy Warner wrote: >>>>>> I am running Fedora 9 with the MLS policy and see no evidence >>>>>> that the label translation is enabled. I am using the default >>>>>> setrans.conf and the "disable=1" flag is commented out. >>>>>> >>>>>> Using the selinux_trans_to_raw (e.g., with a SystemHigh level) >>>>>> produces the exact same label string as passed in which will >>>>>> not pass validation (using s15:c0.c1023 will pass validation). >>>>>> >>>>>> Trying id-Z followed by newrole produces: >>>>>> id -Z >>>>>> warner_u:secadm_r:secadm_t:s0-s15:c0.c1023 >>>>>> >>>>>> newrole -l SystemLow-SystemHigh >>>>>> warner_u:secadm_r:secadm_t:SystemLow-SystemHigh is not a valid >>>>>> context >>>>>> >>>>>> Is there something that must be done to activate label >>>>>> translation? >>>>> Label translation is provided by a daemon, mcstrans. >>>>> >>>>> yum install mcstrans >>>>> /sbin/chkconfig mcstrans on >>>>> /sbin/service mcstrans start >>>> Thanks. I was not starting the mcstrans service. When I get a >>>> translation, it seems odd as follows. >>>> >>>> without mcstrans: >>>> id -Z >>>> warner_u:secadm_r:secadm_t:s0-s15:c0.c1023 >>>> >>>> with mcstrans: >>>> id -Z >>>> warner_u:secadm_r:secadm_t:SystemLow:SystemLow-SystemHigh >>>> >>>> Is it expected to have the high end of the range expressed as a >>>> range? The translation table has the following relevant entries: >>>> s0 SystemLow >>>> s0-s15:c0.c1023 SystemLow-SystemHigh >>> No, that looks wrong to me as well. cc'ing Dan Walsh of Red Hat, >>> who >>> maintains mcstrans. >>> >>> BTW, if you are looking for more complete MLS label translation >>> support, you might try the extended mcstrans posted by Joe Nall. >> >> What is the status of the patch? I vaguely remember a little bit of >> discussion/review about the patch but it's not clear to me if it was >> ever accepted into upstream/Fedora and if it wasn't what the next >> steps >> were going to be ... >> > Good question, we have let this slip through the cracks. I would like > to replace my library totally with Joe's. The only concern would be > to > allow people who used my format to convert to the new format if > possible > or at least document how to do this. Sorry about the big delay in closure on this. We have been very busy trying to build a demonstrable Fedora based MLS/X system to run our applications on. The demo was last week in London and we have some time to upstream our changes this month. That includes adding combination constraints, label-to-color mapping and migration tools to mcstransd and pushing it into a public repo for community consideration. joe -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Label Translation on Fedora 9 2008-11-09 18:26 ` Joe Nall @ 2008-11-10 15:56 ` Paul Moore 2008-11-10 16:10 ` Xavier Toth 2008-11-12 9:23 ` Russell Coker 1 sibling, 1 reply; 15+ messages in thread From: Paul Moore @ 2008-11-10 15:56 UTC (permalink / raw) To: Joe Nall; +Cc: Daniel J Walsh, Stephen Smalley, Andy Warner, selinux On Sunday 09 November 2008 1:26:58 pm Joe Nall wrote: > On Nov 3, 2008, at 2:34 PM, Daniel J Walsh wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Paul Moore wrote: > >> On Monday 03 November 2008 8:51:49 am Stephen Smalley wrote: > >>> On Mon, 2008-11-03 at 14:47 +0100, Andy Warner wrote: > >>>> Stephen Smalley wrote: > >>>>> On Mon, 2008-11-03 at 12:49 +0100, Andy Warner wrote: > >>>>>> I am running Fedora 9 with the MLS policy and see no evidence > >>>>>> that the label translation is enabled. I am using the default > >>>>>> setrans.conf and the "disable=1" flag is commented out. > >>>>>> > >>>>>> Using the selinux_trans_to_raw (e.g., with a SystemHigh level) > >>>>>> produces the exact same label string as passed in which will > >>>>>> not pass validation (using s15:c0.c1023 will pass validation). > >>>>>> > >>>>>> Trying id-Z followed by newrole produces: > >>>>>> id -Z > >>>>>> warner_u:secadm_r:secadm_t:s0-s15:c0.c1023 > >>>>>> > >>>>>> newrole -l SystemLow-SystemHigh > >>>>>> warner_u:secadm_r:secadm_t:SystemLow-SystemHigh is not a valid > >>>>>> context > >>>>>> > >>>>>> Is there something that must be done to activate label > >>>>>> translation? > >>>>> > >>>>> Label translation is provided by a daemon, mcstrans. > >>>>> > >>>>> yum install mcstrans > >>>>> /sbin/chkconfig mcstrans on > >>>>> /sbin/service mcstrans start > >>>> > >>>> Thanks. I was not starting the mcstrans service. When I get a > >>>> translation, it seems odd as follows. > >>>> > >>>> without mcstrans: > >>>> id -Z > >>>> warner_u:secadm_r:secadm_t:s0-s15:c0.c1023 > >>>> > >>>> with mcstrans: > >>>> id -Z > >>>> warner_u:secadm_r:secadm_t:SystemLow:SystemLow-SystemHigh > >>>> > >>>> Is it expected to have the high end of the range expressed as a > >>>> range? The translation table has the following relevant entries: > >>>> s0 SystemLow > >>>> s0-s15:c0.c1023 SystemLow-SystemHigh > >>> > >>> No, that looks wrong to me as well. cc'ing Dan Walsh of Red Hat, > >>> who > >>> maintains mcstrans. > >>> > >>> BTW, if you are looking for more complete MLS label translation > >>> support, you might try the extended mcstrans posted by Joe Nall. > >> > >> What is the status of the patch? I vaguely remember a little bit > >> of discussion/review about the patch but it's not clear to me if > >> it was ever accepted into upstream/Fedora and if it wasn't what > >> the next steps > >> were going to be ... > > > > Good question, we have let this slip through the cracks. I would > > like to replace my library totally with Joe's. The only concern > > would be to > > allow people who used my format to convert to the new format if > > possible > > or at least document how to do this. > > Sorry about the big delay in closure on this. We have been very busy > trying to build a demonstrable Fedora based MLS/X system to run our > applications on. The demo was last week in London and we have some > time to upstream our changes this month. That includes adding > combination constraints, label-to-color mapping and migration tools > to mcstransd and pushing it into a public repo for community > consideration. Cool. Do the current X/metacity patches support label coloring? -- paul moore linux @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Label Translation on Fedora 9 2008-11-10 15:56 ` Paul Moore @ 2008-11-10 16:10 ` Xavier Toth 2008-11-10 16:16 ` Joe Nall 2008-11-10 16:26 ` Paul Moore 0 siblings, 2 replies; 15+ messages in thread From: Xavier Toth @ 2008-11-10 16:10 UTC (permalink / raw) To: Paul Moore Cc: Joe Nall, Daniel J Walsh, Stephen Smalley, Andy Warner, selinux On Mon, Nov 10, 2008 at 9:56 AM, Paul Moore <paul.moore@hp.com> wrote: > On Sunday 09 November 2008 1:26:58 pm Joe Nall wrote: >> On Nov 3, 2008, at 2:34 PM, Daniel J Walsh wrote: >> > -----BEGIN PGP SIGNED MESSAGE----- >> > Hash: SHA1 >> > >> > Paul Moore wrote: >> >> On Monday 03 November 2008 8:51:49 am Stephen Smalley wrote: >> >>> On Mon, 2008-11-03 at 14:47 +0100, Andy Warner wrote: >> >>>> Stephen Smalley wrote: >> >>>>> On Mon, 2008-11-03 at 12:49 +0100, Andy Warner wrote: >> >>>>>> I am running Fedora 9 with the MLS policy and see no evidence >> >>>>>> that the label translation is enabled. I am using the default >> >>>>>> setrans.conf and the "disable=1" flag is commented out. >> >>>>>> >> >>>>>> Using the selinux_trans_to_raw (e.g., with a SystemHigh level) >> >>>>>> produces the exact same label string as passed in which will >> >>>>>> not pass validation (using s15:c0.c1023 will pass validation). >> >>>>>> >> >>>>>> Trying id-Z followed by newrole produces: >> >>>>>> id -Z >> >>>>>> warner_u:secadm_r:secadm_t:s0-s15:c0.c1023 >> >>>>>> >> >>>>>> newrole -l SystemLow-SystemHigh >> >>>>>> warner_u:secadm_r:secadm_t:SystemLow-SystemHigh is not a valid >> >>>>>> context >> >>>>>> >> >>>>>> Is there something that must be done to activate label >> >>>>>> translation? >> >>>>> >> >>>>> Label translation is provided by a daemon, mcstrans. >> >>>>> >> >>>>> yum install mcstrans >> >>>>> /sbin/chkconfig mcstrans on >> >>>>> /sbin/service mcstrans start >> >>>> >> >>>> Thanks. I was not starting the mcstrans service. When I get a >> >>>> translation, it seems odd as follows. >> >>>> >> >>>> without mcstrans: >> >>>> id -Z >> >>>> warner_u:secadm_r:secadm_t:s0-s15:c0.c1023 >> >>>> >> >>>> with mcstrans: >> >>>> id -Z >> >>>> warner_u:secadm_r:secadm_t:SystemLow:SystemLow-SystemHigh >> >>>> >> >>>> Is it expected to have the high end of the range expressed as a >> >>>> range? The translation table has the following relevant entries: >> >>>> s0 SystemLow >> >>>> s0-s15:c0.c1023 SystemLow-SystemHigh >> >>> >> >>> No, that looks wrong to me as well. cc'ing Dan Walsh of Red Hat, >> >>> who >> >>> maintains mcstrans. >> >>> >> >>> BTW, if you are looking for more complete MLS label translation >> >>> support, you might try the extended mcstrans posted by Joe Nall. >> >> >> >> What is the status of the patch? I vaguely remember a little bit >> >> of discussion/review about the patch but it's not clear to me if >> >> it was ever accepted into upstream/Fedora and if it wasn't what >> >> the next steps >> >> were going to be ... >> > >> > Good question, we have let this slip through the cracks. I would >> > like to replace my library totally with Joe's. The only concern >> > would be to >> > allow people who used my format to convert to the new format if >> > possible >> > or at least document how to do this. >> >> Sorry about the big delay in closure on this. We have been very busy >> trying to build a demonstrable Fedora based MLS/X system to run our >> applications on. The demo was last week in London and we have some >> time to upstream our changes this month. That includes adding >> combination constraints, label-to-color mapping and migration tools >> to mcstransd and pushing it into a public repo for community >> consideration. > > Cool. Do the current X/metacity patches support label coloring? > > -- > paul moore > linux @ hp > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with > the words "unsubscribe selinux" without quotes as the message. > No. Ted -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Label Translation on Fedora 9 2008-11-10 16:10 ` Xavier Toth @ 2008-11-10 16:16 ` Joe Nall 2008-11-10 16:53 ` Paul Moore 2008-11-10 16:26 ` Paul Moore 1 sibling, 1 reply; 15+ messages in thread From: Joe Nall @ 2008-11-10 16:16 UTC (permalink / raw) To: Paul Moore Cc: Daniel J Walsh, Stephen Smalley, Andy Warner, SE Linux, Xavier Toth On Nov 10, 2008, at 10:10 AM, Xavier Toth wrote: > On Mon, Nov 10, 2008 at 9:56 AM, Paul Moore <paul.moore@hp.com> wrote: >> ... >> Cool. Do the current X/metacity patches support label coloring? >> >> -- >> paul moore >> linux @ hp > > No. > > Ted Ted has unreleased patches to metacity and openbox support the coloring the window banner based on classification. We want to move the code from a shared library to mcstransd before releasing them into the wild. He also wrote a simple banner program to show the current session level. It needs to run in a protected type and better defend its screen real estate or be integrated into X or the window manager. joe -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Label Translation on Fedora 9 2008-11-10 16:16 ` Joe Nall @ 2008-11-10 16:53 ` Paul Moore 0 siblings, 0 replies; 15+ messages in thread From: Paul Moore @ 2008-11-10 16:53 UTC (permalink / raw) To: Joe Nall, Xavier Toth Cc: Daniel J Walsh, Stephen Smalley, Andy Warner, SE Linux On Monday 10 November 2008 11:16:43 am Joe Nall wrote: > On Nov 10, 2008, at 10:10 AM, Xavier Toth wrote: > > On Mon, Nov 10, 2008 at 9:56 AM, Paul Moore <paul.moore@hp.com> wrote: > >> ... > >> Cool. Do the current X/metacity patches support label coloring? > >> > >> -- > >> paul moore > >> linux @ hp > > > > No. > > > > Ted > > Ted has unreleased patches to metacity and openbox support the > coloring the window banner based on classification. We want to move > the code from a shared library to mcstransd before releasing them > into the wild. > > He also wrote a simple banner program to show the current session > level. It needs to run in a protected type and better defend its > screen real estate or be integrated into X or the window manager. Okay, sounds good. Thanks for the update. -- paul moore linux @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Label Translation on Fedora 9 2008-11-10 16:10 ` Xavier Toth 2008-11-10 16:16 ` Joe Nall @ 2008-11-10 16:26 ` Paul Moore 2008-11-10 16:34 ` Xavier Toth 1 sibling, 1 reply; 15+ messages in thread From: Paul Moore @ 2008-11-10 16:26 UTC (permalink / raw) To: Xavier Toth Cc: Joe Nall, Daniel J Walsh, Stephen Smalley, Andy Warner, selinux On Monday 10 November 2008 11:10:49 am Xavier Toth wrote: > On Mon, Nov 10, 2008 at 9:56 AM, Paul Moore <paul.moore@hp.com> wrote: > > On Sunday 09 November 2008 1:26:58 pm Joe Nall wrote: > >> Sorry about the big delay in closure on this. We have been very > >> busy trying to build a demonstrable Fedora based MLS/X system to > >> run our applications on. The demo was last week in London and we > >> have some time to upstream our changes this month. That includes > >> adding combination constraints, label-to-color mapping and > >> migration tools to mcstransd and pushing it into a public repo for > >> community consideration. > > > > Cool. Do the current X/metacity patches support label coloring? > > No. Okay, just out of curiosity is this being worked on? Also, what other applications are there for label coloring? I'm just trying to understand things a little better. -- paul moore linux @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Label Translation on Fedora 9 2008-11-10 16:26 ` Paul Moore @ 2008-11-10 16:34 ` Xavier Toth 0 siblings, 0 replies; 15+ messages in thread From: Xavier Toth @ 2008-11-10 16:34 UTC (permalink / raw) To: Paul Moore Cc: Joe Nall, Daniel J Walsh, Stephen Smalley, Andy Warner, selinux On Mon, Nov 10, 2008 at 10:26 AM, Paul Moore <paul.moore@hp.com> wrote: > On Monday 10 November 2008 11:10:49 am Xavier Toth wrote: >> On Mon, Nov 10, 2008 at 9:56 AM, Paul Moore <paul.moore@hp.com> wrote: >> > On Sunday 09 November 2008 1:26:58 pm Joe Nall wrote: >> >> Sorry about the big delay in closure on this. We have been very >> >> busy trying to build a demonstrable Fedora based MLS/X system to >> >> run our applications on. The demo was last week in London and we >> >> have some time to upstream our changes this month. That includes >> >> adding combination constraints, label-to-color mapping and >> >> migration tools to mcstransd and pushing it into a public repo for >> >> community consideration. >> > >> > Cool. Do the current X/metacity patches support label coloring? >> >> No. > > Okay, just out of curiosity is this being worked on? Also, what other > applications are there for label coloring? > > I'm just trying to understand things a little better. > > -- > paul moore > linux @ hp > Once we get color support in Joe's version of mcstrans I'll integrate color support into metacity and openbox and then work on getting it upstreamed. Aside from mcstrans modifications this will require libselinux changes to implement new apis to get color based on context. I'm not sure what other applications there are for label coloring. Ted -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Label Translation on Fedora 9 2008-11-09 18:26 ` Joe Nall 2008-11-10 15:56 ` Paul Moore @ 2008-11-12 9:23 ` Russell Coker 2008-11-12 13:57 ` Joe Nall 1 sibling, 1 reply; 15+ messages in thread From: Russell Coker @ 2008-11-12 9:23 UTC (permalink / raw) To: Joe Nall Cc: Daniel J Walsh, Paul Moore, Stephen Smalley, Andy Warner, selinux On Monday 10 November 2008 05:26, Joe Nall <joe@nall.com> wrote: > Sorry about the big delay in closure on this. We have been very busy > trying to build a demonstrable Fedora based MLS/X system to run our > applications on. The demo was last week in London and we have some > time to upstream our changes this month. That includes adding > combination constraints, label-to-color mapping and migration tools to > mcstransd and pushing it into a public repo for community consideration. Have you considered making a Xen image of that available for public download? One item on my todo list is to prepared some Xen images of SE Linux for download so that people can try it out. I have recently acquired a suitable server (thanks to a generous German friend) and now only need to find the time. Another item on my todo list is to run a Xen server for public SE Linux training. Hopefully I will get that done in a couple of weeks. Also I'm idly considering putting a Debian SE Linux image on EC2. I'm not sure if that would interest anyone though. -- russell@coker.com.au http://etbe.coker.com.au/ My Blog http://www.coker.com.au/sponsorship.html Sponsoring Free Software development -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Label Translation on Fedora 9 2008-11-12 9:23 ` Russell Coker @ 2008-11-12 13:57 ` Joe Nall 0 siblings, 0 replies; 15+ messages in thread From: Joe Nall @ 2008-11-12 13:57 UTC (permalink / raw) To: russell; +Cc: Daniel J Walsh, Paul Moore, Stephen Smalley, Andy Warner, selinux On Nov 12, 2008, at 3:23 AM, Russell Coker wrote: > On Monday 10 November 2008 05:26, Joe Nall <joe@nall.com> wrote: >> Sorry about the big delay in closure on this. We have been very busy >> trying to build a demonstrable Fedora based MLS/X system to run our >> applications on. The demo was last week in London and we have some >> time to upstream our changes this month. That includes adding >> combination constraints, label-to-color mapping and migration tools >> to >> mcstransd and pushing it into a public repo for community >> consideration. > > Have you considered making a Xen image of that available for public > download? No. I like the idea, but don't have the time right now. I would rather see the Fedora re-spin process be capable of a MLS Live CD. It might be pretty close these days, but I haven't tried it in about 12 months. joe > One item on my todo list is to prepared some Xen images of SE Linux > for > download so that people can try it out. I have recently acquired a > suitable > server (thanks to a generous German friend) and now only need to > find the > time. > > Another item on my todo list is to run a Xen server for public SE > Linux > training. Hopefully I will get that done in a couple of weeks. > > Also I'm idly considering putting a Debian SE Linux image on EC2. > I'm not > sure if that would interest anyone though. > > -- > russell@coker.com.au > http://etbe.coker.com.au/ My Blog > > http://www.coker.com.au/sponsorship.html Sponsoring Free Software > development -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2008-11-12 13:57 UTC | newest] Thread overview: 15+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2008-11-03 11:49 Label Translation on Fedora 9 Andy Warner 2008-11-03 13:29 ` Stephen Smalley 2008-11-03 13:47 ` Andy Warner 2008-11-03 13:51 ` Stephen Smalley 2008-11-03 16:29 ` Paul Moore 2008-11-03 20:34 ` Daniel J Walsh 2008-11-09 18:26 ` Joe Nall 2008-11-10 15:56 ` Paul Moore 2008-11-10 16:10 ` Xavier Toth 2008-11-10 16:16 ` Joe Nall 2008-11-10 16:53 ` Paul Moore 2008-11-10 16:26 ` Paul Moore 2008-11-10 16:34 ` Xavier Toth 2008-11-12 9:23 ` Russell Coker 2008-11-12 13:57 ` Joe Nall
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.