From: Paul Moore <paul.moore@hp.com>
To: chanson@TrustedCS.com
Cc: Glenn.Faden@sun.com, refpolicy@oss.tresys.com, selinux@tycho.nsa.gov
Subject: Re: [refpolicy] [PATCH] refpolicy: Add missing network related MLSconstraints
Date: Fri, 13 Feb 2009 18:17:29 -0500 [thread overview]
Message-ID: <200902131817.29764.paul.moore@hp.com> (raw)
In-Reply-To: <170D6ABBBA770349AA49582A86FCED15BA0238@HAVOC.tcs-sec.com>
On Friday 13 February 2009 05:17:13 pm chanson@trustedcs.com wrote:
> You are correct, we want to keep the existing overrides, but not provide
> anymore overrides. The network interface / node checking rope should be
> very short. The few exceptions of unlabeled_t or kernel_t. kernel_t was
> necessary for nfs awhile back (may not be necessary now), probably
> iSCSI, or basically things where the kernel is generating the packet
> instead of a process and not assuming other credentials.
Well, I suppose we can take the minimalistic, aka "short rope", approach right
now since the ingress/egress controls are still new and not really integrated
into policy in the form of templates. As we continue to develop the policy
and we find a need for them we can always [re-]add them. Unless anyone chimes
in over the weekend or next Monday I'll respin a patch next week.
Just out of curiosity, are you guys using any of the new stuff or are you
still using your own special kernel with the rejected network controls? I ask
because I would be curious about any feedback you might have on the new bits
in mainline.
--
paul moore
linux @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
WARNING: multiple messages have this Message-ID (diff)
From: paul.moore@hp.com (Paul Moore)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH] refpolicy: Add missing network related MLSconstraints
Date: Fri, 13 Feb 2009 18:17:29 -0500 [thread overview]
Message-ID: <200902131817.29764.paul.moore@hp.com> (raw)
In-Reply-To: <170D6ABBBA770349AA49582A86FCED15BA0238@HAVOC.tcs-sec.com>
On Friday 13 February 2009 05:17:13 pm chanson at trustedcs.com wrote:
> You are correct, we want to keep the existing overrides, but not provide
> anymore overrides. The network interface / node checking rope should be
> very short. The few exceptions of unlabeled_t or kernel_t. kernel_t was
> necessary for nfs awhile back (may not be necessary now), probably
> iSCSI, or basically things where the kernel is generating the packet
> instead of a process and not assuming other credentials.
Well, I suppose we can take the minimalistic, aka "short rope", approach right
now since the ingress/egress controls are still new and not really integrated
into policy in the form of templates. As we continue to develop the policy
and we find a need for them we can always [re-]add them. Unless anyone chimes
in over the weekend or next Monday I'll respin a patch next week.
Just out of curiosity, are you guys using any of the new stuff or are you
still using your own special kernel with the rejected network controls? I ask
because I would be curious about any feedback you might have on the new bits
in mainline.
--
paul moore
linux @ hp
next prev parent reply other threads:[~2009-02-13 23:17 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-02-12 21:15 [PATCH] refpolicy: Add missing network related MLS constraints Paul Moore
2009-02-12 21:15 ` [refpolicy] " Paul Moore
2009-02-13 19:36 ` [refpolicy] [PATCH] refpolicy: Add missing network related MLSconstraints chanson
2009-02-13 19:36 ` chanson at TrustedCS.com
2009-02-13 20:44 ` Paul Moore
2009-02-13 20:44 ` Paul Moore
2009-02-13 21:38 ` Glenn Faden
2009-02-13 22:02 ` Paul Moore
2009-02-13 22:02 ` Paul Moore
2009-02-13 22:17 ` chanson
2009-02-13 22:17 ` chanson at TrustedCS.com
2009-02-13 23:17 ` Paul Moore [this message]
2009-02-13 23:17 ` Paul Moore
2009-02-13 23:54 ` chanson
2009-02-13 23:54 ` chanson at TrustedCS.com
2009-02-13 22:24 ` Glenn Faden
2009-02-13 23:10 ` Paul Moore
2009-02-14 2:41 ` Casey Schaufler
2009-02-16 15:18 ` chanson
2009-02-16 15:18 ` chanson at TrustedCS.com
2009-02-21 1:37 ` [refpolicy] [PATCH] refpolicy: Add missing network related MLS constraints Joe Nall
2009-02-21 1:37 ` Joe Nall
2009-02-23 17:37 ` Paul Moore
2009-02-23 17:37 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200902131817.29764.paul.moore@hp.com \
--to=paul.moore@hp.com \
--cc=Glenn.Faden@sun.com \
--cc=chanson@TrustedCS.com \
--cc=refpolicy@oss.tresys.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.