[refpolicy] network: Enable "network_peer_controls" and fix some remaining issues

[refpolicy] network: Enable "network_peer_controls" and fix some remaining issues

[Paul Moore]

An embedded and charset-unspecified text was scrubbed...
Name: network-in_out_basic
Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20090116/39b08e75/attachment.pl 

[refpolicy] network: Enable "network_peer_controls" and fix some remaining issues

[Paul Moore]

On Friday 30 January 2009 9:46:21 am you wrote:
> On Fri, 2009-01-16 at 17:08 -0500, Paul Moore wrote:
> > plain text document attachment (network-in_out_basic)
> > We added the network_peer_controls capability back in Linux Kernel
> > 2.6.25 but didn't activate the capability because more work was
> > needed to ensure a smooth transition to the new controls.  This
> > patch enables the network_peer_controls capability and fixes a few
> > remaining issues with its use.  With this patch applied to the
> > Fedora Rawhide SELinux policy (selinux-policy-3.6.1-4.fc11) I am
> > able to interact with the machine over the network without any new
> > AVC denials.
>
> Does it work without the legacy support rules?  I'm thinking that for
> now we don't want the legacy support in these interfaces, since we're
> still not ready to dump all the compat_net support.  Then its clear
> that its not supposed to be used for compat_net rules.

I'm testing it right now (it should work without the legacy bits).  Once 
I've verified the changes I'll repost.

-- 
paul moore
linux @ hp