Label Translation on Fedora 9

Label Translation on Fedora 9

[Andy Warner]

[-- Attachment #1: Type: text/plain, Size: 651 bytes --]

I am running Fedora 9 with the MLS policy and see no evidence that the 
label translation is enabled. I am using the default setrans.conf and 
the "disable=1" flag is commented out.

Using the selinux_trans_to_raw (e.g., with a SystemHigh level) produces 
the exact same label string as passed in which will not pass validation 
(using s15:c0.c1023 will pass validation).

Trying id-Z followed by newrole produces:
id -Z
warner_u:secadm_r:secadm_t:s0-s15:c0.c1023

newrole -l SystemLow-SystemHigh
warner_u:secadm_r:secadm_t:SystemLow-SystemHigh is not a valid context

Is there something that must be done to activate label translation?

thanks

Andy

[-- Attachment #2: Type: text/html, Size: 908 bytes --]

Re: Label Translation on Fedora 9

[Stephen Smalley]

On Mon, 2008-11-03 at 12:49 +0100, Andy Warner wrote:
> I am running Fedora 9 with the MLS policy and see no evidence that the
> label translation is enabled. I am using the default setrans.conf and
> the "disable=1" flag is commented out.
> 
> Using the selinux_trans_to_raw (e.g., with a SystemHigh level)
> produces the exact same label string as passed in which will not pass
> validation (using s15:c0.c1023 will pass validation). 
> 
> Trying id-Z followed by newrole produces:
> id -Z
> warner_u:secadm_r:secadm_t:s0-s15:c0.c1023
> 
> newrole -l SystemLow-SystemHigh
> warner_u:secadm_r:secadm_t:SystemLow-SystemHigh is not a valid context
> 
> Is there something that must be done to activate label translation?

Label translation is provided by a daemon, mcstrans.

yum install mcstrans
/sbin/chkconfig mcstrans on
/sbin/service mcstrans start

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Label Translation on Fedora 9

[Andy Warner]

[-- Attachment #1: Type: text/plain, Size: 1386 bytes --]



Stephen Smalley wrote:
> On Mon, 2008-11-03 at 12:49 +0100, Andy Warner wrote:
>   
>> I am running Fedora 9 with the MLS policy and see no evidence that the
>> label translation is enabled. I am using the default setrans.conf and
>> the "disable=1" flag is commented out.
>>
>> Using the selinux_trans_to_raw (e.g., with a SystemHigh level)
>> produces the exact same label string as passed in which will not pass
>> validation (using s15:c0.c1023 will pass validation). 
>>
>> Trying id-Z followed by newrole produces:
>> id -Z
>> warner_u:secadm_r:secadm_t:s0-s15:c0.c1023
>>
>> newrole -l SystemLow-SystemHigh
>> warner_u:secadm_r:secadm_t:SystemLow-SystemHigh is not a valid context
>>
>> Is there something that must be done to activate label translation?
>>     
>
> Label translation is provided by a daemon, mcstrans.
>
> yum install mcstrans
> /sbin/chkconfig mcstrans on
> /sbin/service mcstrans start
>   

Thanks. I was not starting the mcstrans service. When I get a 
translation, it seems odd as follows.

without mcstrans:
id -Z
warner_u:secadm_r:secadm_t:s0-s15:c0.c1023

with mcstrans:
id -Z
warner_u:secadm_r:secadm_t:SystemLow:SystemLow-SystemHigh

Is it expected to have the high end of the range expressed as a range? 
The translation table has the following relevant entries:
s0                             SystemLow
s0-s15:c0.c1023      SystemLow-SystemHigh



[-- Attachment #2: Type: text/html, Size: 1949 bytes --]

Re: Label Translation on Fedora 9

[Stephen Smalley]

On Mon, 2008-11-03 at 14:47 +0100, Andy Warner wrote:
> 
> 
> Stephen Smalley wrote: 
> > On Mon, 2008-11-03 at 12:49 +0100, Andy Warner wrote:
> >   
> > > I am running Fedora 9 with the MLS policy and see no evidence that the
> > > label translation is enabled. I am using the default setrans.conf and
> > > the "disable=1" flag is commented out.
> > > 
> > > Using the selinux_trans_to_raw (e.g., with a SystemHigh level)
> > > produces the exact same label string as passed in which will not pass
> > > validation (using s15:c0.c1023 will pass validation). 
> > > 
> > > Trying id-Z followed by newrole produces:
> > > id -Z
> > > warner_u:secadm_r:secadm_t:s0-s15:c0.c1023
> > > 
> > > newrole -l SystemLow-SystemHigh
> > > warner_u:secadm_r:secadm_t:SystemLow-SystemHigh is not a valid context
> > > 
> > > Is there something that must be done to activate label translation?
> > >     
> > 
> > Label translation is provided by a daemon, mcstrans.
> > 
> > yum install mcstrans
> > /sbin/chkconfig mcstrans on
> > /sbin/service mcstrans start
> >   
> 
> Thanks. I was not starting the mcstrans service. When I get a
> translation, it seems odd as follows.
> 
> without mcstrans:
> id -Z
> warner_u:secadm_r:secadm_t:s0-s15:c0.c1023
> 
> with mcstrans:
> id -Z
> warner_u:secadm_r:secadm_t:SystemLow:SystemLow-SystemHigh
> 
> Is it expected to have the high end of the range expressed as a range?
> The translation table has the following relevant entries:
> s0                             SystemLow
> s0-s15:c0.c1023      SystemLow-SystemHigh

No, that looks wrong to me as well.  cc'ing Dan Walsh of Red Hat, who
maintains mcstrans.

BTW, if you are looking for more complete MLS label translation support,
you might try the extended mcstrans posted by Joe Nall.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Label Translation on Fedora 9

[Paul Moore]

On Monday 03 November 2008 8:51:49 am Stephen Smalley wrote:
> On Mon, 2008-11-03 at 14:47 +0100, Andy Warner wrote:
> > Stephen Smalley wrote:
> > > On Mon, 2008-11-03 at 12:49 +0100, Andy Warner wrote:
> > > > I am running Fedora 9 with the MLS policy and see no evidence
> > > > that the label translation is enabled. I am using the default
> > > > setrans.conf and the "disable=1" flag is commented out.
> > > >
> > > > Using the selinux_trans_to_raw (e.g., with a SystemHigh level)
> > > > produces the exact same label string as passed in which will
> > > > not pass validation (using s15:c0.c1023 will pass validation).
> > > >
> > > > Trying id-Z followed by newrole produces:
> > > > id -Z
> > > > warner_u:secadm_r:secadm_t:s0-s15:c0.c1023
> > > >
> > > > newrole -l SystemLow-SystemHigh
> > > > warner_u:secadm_r:secadm_t:SystemLow-SystemHigh is not a valid
> > > > context
> > > >
> > > > Is there something that must be done to activate label
> > > > translation?
> > >
> > > Label translation is provided by a daemon, mcstrans.
> > >
> > > yum install mcstrans
> > > /sbin/chkconfig mcstrans on
> > > /sbin/service mcstrans start
> >
> > Thanks. I was not starting the mcstrans service. When I get a
> > translation, it seems odd as follows.
> >
> > without mcstrans:
> > id -Z
> > warner_u:secadm_r:secadm_t:s0-s15:c0.c1023
> >
> > with mcstrans:
> > id -Z
> > warner_u:secadm_r:secadm_t:SystemLow:SystemLow-SystemHigh
> >
> > Is it expected to have the high end of the range expressed as a
> > range? The translation table has the following relevant entries:
> > s0                             SystemLow
> > s0-s15:c0.c1023      SystemLow-SystemHigh
>
> No, that looks wrong to me as well.  cc'ing Dan Walsh of Red Hat, who
> maintains mcstrans.
>
> BTW, if you are looking for more complete MLS label translation
> support, you might try the extended mcstrans posted by Joe Nall.

What is the status of the patch?  I vaguely remember a little bit of 
discussion/review about the patch but it's not clear to me if it was 
ever accepted into upstream/Fedora and if it wasn't what the next steps 
were going to be ...

-- 
paul moore
linux @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Label Translation on Fedora 9

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paul Moore wrote:
> On Monday 03 November 2008 8:51:49 am Stephen Smalley wrote:
>> On Mon, 2008-11-03 at 14:47 +0100, Andy Warner wrote:
>>> Stephen Smalley wrote:
>>>> On Mon, 2008-11-03 at 12:49 +0100, Andy Warner wrote:
>>>>> I am running Fedora 9 with the MLS policy and see no evidence
>>>>> that the label translation is enabled. I am using the default
>>>>> setrans.conf and the "disable=1" flag is commented out.
>>>>>
>>>>> Using the selinux_trans_to_raw (e.g., with a SystemHigh level)
>>>>> produces the exact same label string as passed in which will
>>>>> not pass validation (using s15:c0.c1023 will pass validation).
>>>>>
>>>>> Trying id-Z followed by newrole produces:
>>>>> id -Z
>>>>> warner_u:secadm_r:secadm_t:s0-s15:c0.c1023
>>>>>
>>>>> newrole -l SystemLow-SystemHigh
>>>>> warner_u:secadm_r:secadm_t:SystemLow-SystemHigh is not a valid
>>>>> context
>>>>>
>>>>> Is there something that must be done to activate label
>>>>> translation?
>>>> Label translation is provided by a daemon, mcstrans.
>>>>
>>>> yum install mcstrans
>>>> /sbin/chkconfig mcstrans on
>>>> /sbin/service mcstrans start
>>> Thanks. I was not starting the mcstrans service. When I get a
>>> translation, it seems odd as follows.
>>>
>>> without mcstrans:
>>> id -Z
>>> warner_u:secadm_r:secadm_t:s0-s15:c0.c1023
>>>
>>> with mcstrans:
>>> id -Z
>>> warner_u:secadm_r:secadm_t:SystemLow:SystemLow-SystemHigh
>>>
>>> Is it expected to have the high end of the range expressed as a
>>> range? The translation table has the following relevant entries:
>>> s0                             SystemLow
>>> s0-s15:c0.c1023      SystemLow-SystemHigh
>> No, that looks wrong to me as well.  cc'ing Dan Walsh of Red Hat, who
>> maintains mcstrans.
>>
>> BTW, if you are looking for more complete MLS label translation
>> support, you might try the extended mcstrans posted by Joe Nall.
> 
> What is the status of the patch?  I vaguely remember a little bit of 
> discussion/review about the patch but it's not clear to me if it was 
> ever accepted into upstream/Fedora and if it wasn't what the next steps 
> were going to be ...
> 
Good question, we have let this slip through the cracks.  I would like
to replace my library totally with Joe's.  The only concern would be to
allow people who used my format to convert to the new format if possible
or at least document how to do this.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkkPYFkACgkQrlYvE4MpobOZRQCfbG2Nk+8sRypiJgSjIATHqLeI
jz4An3xTcOjf4ZJpwP2j0PtnM+bPRrR7
=iNCh
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Label Translation on Fedora 9

[Joe Nall]

On Nov 3, 2008, at 2:34 PM, Daniel J Walsh wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Paul Moore wrote:
>> On Monday 03 November 2008 8:51:49 am Stephen Smalley wrote:
>>> On Mon, 2008-11-03 at 14:47 +0100, Andy Warner wrote:
>>>> Stephen Smalley wrote:
>>>>> On Mon, 2008-11-03 at 12:49 +0100, Andy Warner wrote:
>>>>>> I am running Fedora 9 with the MLS policy and see no evidence
>>>>>> that the label translation is enabled. I am using the default
>>>>>> setrans.conf and the "disable=1" flag is commented out.
>>>>>>
>>>>>> Using the selinux_trans_to_raw (e.g., with a SystemHigh level)
>>>>>> produces the exact same label string as passed in which will
>>>>>> not pass validation (using s15:c0.c1023 will pass validation).
>>>>>>
>>>>>> Trying id-Z followed by newrole produces:
>>>>>> id -Z
>>>>>> warner_u:secadm_r:secadm_t:s0-s15:c0.c1023
>>>>>>
>>>>>> newrole -l SystemLow-SystemHigh
>>>>>> warner_u:secadm_r:secadm_t:SystemLow-SystemHigh is not a valid
>>>>>> context
>>>>>>
>>>>>> Is there something that must be done to activate label
>>>>>> translation?
>>>>> Label translation is provided by a daemon, mcstrans.
>>>>>
>>>>> yum install mcstrans
>>>>> /sbin/chkconfig mcstrans on
>>>>> /sbin/service mcstrans start
>>>> Thanks. I was not starting the mcstrans service. When I get a
>>>> translation, it seems odd as follows.
>>>>
>>>> without mcstrans:
>>>> id -Z
>>>> warner_u:secadm_r:secadm_t:s0-s15:c0.c1023
>>>>
>>>> with mcstrans:
>>>> id -Z
>>>> warner_u:secadm_r:secadm_t:SystemLow:SystemLow-SystemHigh
>>>>
>>>> Is it expected to have the high end of the range expressed as a
>>>> range? The translation table has the following relevant entries:
>>>> s0                             SystemLow
>>>> s0-s15:c0.c1023      SystemLow-SystemHigh
>>> No, that looks wrong to me as well.  cc'ing Dan Walsh of Red Hat,  
>>> who
>>> maintains mcstrans.
>>>
>>> BTW, if you are looking for more complete MLS label translation
>>> support, you might try the extended mcstrans posted by Joe Nall.
>>
>> What is the status of the patch?  I vaguely remember a little bit of
>> discussion/review about the patch but it's not clear to me if it was
>> ever accepted into upstream/Fedora and if it wasn't what the next  
>> steps
>> were going to be ...
>>
> Good question, we have let this slip through the cracks.  I would like
> to replace my library totally with Joe's.  The only concern would be  
> to
> allow people who used my format to convert to the new format if  
> possible
> or at least document how to do this.

Sorry about the big delay in closure on this. We have been very busy  
trying to build a demonstrable Fedora based MLS/X system to run our  
applications on. The demo was last week in London and we have some  
time to upstream our changes this month. That includes adding  
combination constraints, label-to-color mapping and migration tools to  
mcstransd and pushing it into a public repo for community consideration.

joe



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Label Translation on Fedora 9

[Paul Moore]

On Sunday 09 November 2008 1:26:58 pm Joe Nall wrote:
> On Nov 3, 2008, at 2:34 PM, Daniel J Walsh wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Paul Moore wrote:
> >> On Monday 03 November 2008 8:51:49 am Stephen Smalley wrote:
> >>> On Mon, 2008-11-03 at 14:47 +0100, Andy Warner wrote:
> >>>> Stephen Smalley wrote:
> >>>>> On Mon, 2008-11-03 at 12:49 +0100, Andy Warner wrote:
> >>>>>> I am running Fedora 9 with the MLS policy and see no evidence
> >>>>>> that the label translation is enabled. I am using the default
> >>>>>> setrans.conf and the "disable=1" flag is commented out.
> >>>>>>
> >>>>>> Using the selinux_trans_to_raw (e.g., with a SystemHigh level)
> >>>>>> produces the exact same label string as passed in which will
> >>>>>> not pass validation (using s15:c0.c1023 will pass validation).
> >>>>>>
> >>>>>> Trying id-Z followed by newrole produces:
> >>>>>> id -Z
> >>>>>> warner_u:secadm_r:secadm_t:s0-s15:c0.c1023
> >>>>>>
> >>>>>> newrole -l SystemLow-SystemHigh
> >>>>>> warner_u:secadm_r:secadm_t:SystemLow-SystemHigh is not a valid
> >>>>>> context
> >>>>>>
> >>>>>> Is there something that must be done to activate label
> >>>>>> translation?
> >>>>>
> >>>>> Label translation is provided by a daemon, mcstrans.
> >>>>>
> >>>>> yum install mcstrans
> >>>>> /sbin/chkconfig mcstrans on
> >>>>> /sbin/service mcstrans start
> >>>>
> >>>> Thanks. I was not starting the mcstrans service. When I get a
> >>>> translation, it seems odd as follows.
> >>>>
> >>>> without mcstrans:
> >>>> id -Z
> >>>> warner_u:secadm_r:secadm_t:s0-s15:c0.c1023
> >>>>
> >>>> with mcstrans:
> >>>> id -Z
> >>>> warner_u:secadm_r:secadm_t:SystemLow:SystemLow-SystemHigh
> >>>>
> >>>> Is it expected to have the high end of the range expressed as a
> >>>> range? The translation table has the following relevant entries:
> >>>> s0                             SystemLow
> >>>> s0-s15:c0.c1023      SystemLow-SystemHigh
> >>>
> >>> No, that looks wrong to me as well.  cc'ing Dan Walsh of Red Hat,
> >>> who
> >>> maintains mcstrans.
> >>>
> >>> BTW, if you are looking for more complete MLS label translation
> >>> support, you might try the extended mcstrans posted by Joe Nall.
> >>
> >> What is the status of the patch?  I vaguely remember a little bit
> >> of discussion/review about the patch but it's not clear to me if
> >> it was ever accepted into upstream/Fedora and if it wasn't what
> >> the next steps
> >> were going to be ...
> >
> > Good question, we have let this slip through the cracks.  I would
> > like to replace my library totally with Joe's.  The only concern
> > would be to
> > allow people who used my format to convert to the new format if
> > possible
> > or at least document how to do this.
>
> Sorry about the big delay in closure on this. We have been very busy
> trying to build a demonstrable Fedora based MLS/X system to run our
> applications on. The demo was last week in London and we have some
> time to upstream our changes this month. That includes adding
> combination constraints, label-to-color mapping and migration tools
> to mcstransd and pushing it into a public repo for community
> consideration.

Cool.  Do the current X/metacity patches support label coloring?

-- 
paul moore
linux @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Label Translation on Fedora 9

[Xavier Toth]

On Mon, Nov 10, 2008 at 9:56 AM, Paul Moore <paul.moore@hp.com> wrote:
> On Sunday 09 November 2008 1:26:58 pm Joe Nall wrote:
>> On Nov 3, 2008, at 2:34 PM, Daniel J Walsh wrote:
>> > -----BEGIN PGP SIGNED MESSAGE-----
>> > Hash: SHA1
>> >
>> > Paul Moore wrote:
>> >> On Monday 03 November 2008 8:51:49 am Stephen Smalley wrote:
>> >>> On Mon, 2008-11-03 at 14:47 +0100, Andy Warner wrote:
>> >>>> Stephen Smalley wrote:
>> >>>>> On Mon, 2008-11-03 at 12:49 +0100, Andy Warner wrote:
>> >>>>>> I am running Fedora 9 with the MLS policy and see no evidence
>> >>>>>> that the label translation is enabled. I am using the default
>> >>>>>> setrans.conf and the "disable=1" flag is commented out.
>> >>>>>>
>> >>>>>> Using the selinux_trans_to_raw (e.g., with a SystemHigh level)
>> >>>>>> produces the exact same label string as passed in which will
>> >>>>>> not pass validation (using s15:c0.c1023 will pass validation).
>> >>>>>>
>> >>>>>> Trying id-Z followed by newrole produces:
>> >>>>>> id -Z
>> >>>>>> warner_u:secadm_r:secadm_t:s0-s15:c0.c1023
>> >>>>>>
>> >>>>>> newrole -l SystemLow-SystemHigh
>> >>>>>> warner_u:secadm_r:secadm_t:SystemLow-SystemHigh is not a valid
>> >>>>>> context
>> >>>>>>
>> >>>>>> Is there something that must be done to activate label
>> >>>>>> translation?
>> >>>>>
>> >>>>> Label translation is provided by a daemon, mcstrans.
>> >>>>>
>> >>>>> yum install mcstrans
>> >>>>> /sbin/chkconfig mcstrans on
>> >>>>> /sbin/service mcstrans start
>> >>>>
>> >>>> Thanks. I was not starting the mcstrans service. When I get a
>> >>>> translation, it seems odd as follows.
>> >>>>
>> >>>> without mcstrans:
>> >>>> id -Z
>> >>>> warner_u:secadm_r:secadm_t:s0-s15:c0.c1023
>> >>>>
>> >>>> with mcstrans:
>> >>>> id -Z
>> >>>> warner_u:secadm_r:secadm_t:SystemLow:SystemLow-SystemHigh
>> >>>>
>> >>>> Is it expected to have the high end of the range expressed as a
>> >>>> range? The translation table has the following relevant entries:
>> >>>> s0                             SystemLow
>> >>>> s0-s15:c0.c1023      SystemLow-SystemHigh
>> >>>
>> >>> No, that looks wrong to me as well.  cc'ing Dan Walsh of Red Hat,
>> >>> who
>> >>> maintains mcstrans.
>> >>>
>> >>> BTW, if you are looking for more complete MLS label translation
>> >>> support, you might try the extended mcstrans posted by Joe Nall.
>> >>
>> >> What is the status of the patch?  I vaguely remember a little bit
>> >> of discussion/review about the patch but it's not clear to me if
>> >> it was ever accepted into upstream/Fedora and if it wasn't what
>> >> the next steps
>> >> were going to be ...
>> >
>> > Good question, we have let this slip through the cracks.  I would
>> > like to replace my library totally with Joe's.  The only concern
>> > would be to
>> > allow people who used my format to convert to the new format if
>> > possible
>> > or at least document how to do this.
>>
>> Sorry about the big delay in closure on this. We have been very busy
>> trying to build a demonstrable Fedora based MLS/X system to run our
>> applications on. The demo was last week in London and we have some
>> time to upstream our changes this month. That includes adding
>> combination constraints, label-to-color mapping and migration tools
>> to mcstransd and pushing it into a public repo for community
>> consideration.
>
> Cool.  Do the current X/metacity patches support label coloring?
>
> --
> paul moore
> linux @ hp
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>

No.

Ted

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Label Translation on Fedora 9

[Joe Nall]

On Nov 10, 2008, at 10:10 AM, Xavier Toth wrote:

> On Mon, Nov 10, 2008 at 9:56 AM, Paul Moore <paul.moore@hp.com> wrote:
>> ...
>> Cool.  Do the current X/metacity patches support label coloring?
>>
>> --
>> paul moore
>> linux @ hp
>
> No.
>
> Ted

Ted has unreleased patches to metacity and openbox support the  
coloring the window banner based on classification. We want to move  
the code from a shared library to mcstransd before releasing them into  
the wild.

He also wrote a simple banner program to show the current session  
level. It needs to run in a protected type and better defend its  
screen real estate or be integrated into X or the window manager.

joe


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Label Translation on Fedora 9

[Paul Moore]

On Monday 10 November 2008 11:10:49 am Xavier Toth wrote:
> On Mon, Nov 10, 2008 at 9:56 AM, Paul Moore <paul.moore@hp.com> wrote:
> > On Sunday 09 November 2008 1:26:58 pm Joe Nall wrote:
> >> Sorry about the big delay in closure on this. We have been very
> >> busy trying to build a demonstrable Fedora based MLS/X system to
> >> run our applications on. The demo was last week in London and we
> >> have some time to upstream our changes this month. That includes
> >> adding combination constraints, label-to-color mapping and
> >> migration tools to mcstransd and pushing it into a public repo for
> >> community consideration.
> >
> > Cool.  Do the current X/metacity patches support label coloring?
>
> No.

Okay, just out of curiosity is this being worked on?  Also, what other 
applications are there for label coloring?

I'm just trying to understand things a little better.

-- 
paul moore
linux @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Label Translation on Fedora 9

[Xavier Toth]

On Mon, Nov 10, 2008 at 10:26 AM, Paul Moore <paul.moore@hp.com> wrote:
> On Monday 10 November 2008 11:10:49 am Xavier Toth wrote:
>> On Mon, Nov 10, 2008 at 9:56 AM, Paul Moore <paul.moore@hp.com> wrote:
>> > On Sunday 09 November 2008 1:26:58 pm Joe Nall wrote:
>> >> Sorry about the big delay in closure on this. We have been very
>> >> busy trying to build a demonstrable Fedora based MLS/X system to
>> >> run our applications on. The demo was last week in London and we
>> >> have some time to upstream our changes this month. That includes
>> >> adding combination constraints, label-to-color mapping and
>> >> migration tools to mcstransd and pushing it into a public repo for
>> >> community consideration.
>> >
>> > Cool.  Do the current X/metacity patches support label coloring?
>>
>> No.
>
> Okay, just out of curiosity is this being worked on?  Also, what other
> applications are there for label coloring?
>
> I'm just trying to understand things a little better.
>
> --
> paul moore
> linux @ hp
>

Once we get color support in Joe's version of mcstrans I'll integrate
color support into metacity and openbox and then work on getting it
upstreamed. Aside from mcstrans modifications this will require
libselinux changes to implement new apis to get color based on
context. I'm not sure what other applications there are for label
coloring.

Ted

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Label Translation on Fedora 9

[Paul Moore]

On Monday 10 November 2008 11:16:43 am Joe Nall wrote:
> On Nov 10, 2008, at 10:10 AM, Xavier Toth wrote:
> > On Mon, Nov 10, 2008 at 9:56 AM, Paul Moore <paul.moore@hp.com> 
wrote:
> >> ...
> >> Cool.  Do the current X/metacity patches support label coloring?
> >>
> >> --
> >> paul moore
> >> linux @ hp
> >
> > No.
> >
> > Ted
>
> Ted has unreleased patches to metacity and openbox support the
> coloring the window banner based on classification. We want to move
> the code from a shared library to mcstransd before releasing them
> into the wild.
>
> He also wrote a simple banner program to show the current session
> level. It needs to run in a protected type and better defend its
> screen real estate or be integrated into X or the window manager.

Okay, sounds good.  Thanks for the update.

-- 
paul moore
linux @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Label Translation on Fedora 9

[Russell Coker]

On Monday 10 November 2008 05:26, Joe Nall <joe@nall.com> wrote:
> Sorry about the big delay in closure on this. We have been very busy  
> trying to build a demonstrable Fedora based MLS/X system to run our  
> applications on. The demo was last week in London and we have some  
> time to upstream our changes this month. That includes adding  
> combination constraints, label-to-color mapping and migration tools to  
> mcstransd and pushing it into a public repo for community consideration.

Have you considered making a Xen image of that available for public download?

One item on my todo list is to prepared some Xen images of SE Linux for 
download so that people can try it out.  I have recently acquired a suitable 
server (thanks to a generous German friend) and now only need to find the 
time.

Another item on my todo list is to run a Xen server for public SE Linux 
training.  Hopefully I will get that done in a couple of weeks.

Also I'm idly considering putting a Debian SE Linux image on EC2.  I'm not 
sure if that would interest anyone though.

-- 
russell@coker.com.au
http://etbe.coker.com.au/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Label Translation on Fedora 9

[Joe Nall]

On Nov 12, 2008, at 3:23 AM, Russell Coker wrote:

> On Monday 10 November 2008 05:26, Joe Nall <joe@nall.com> wrote:
>> Sorry about the big delay in closure on this. We have been very busy
>> trying to build a demonstrable Fedora based MLS/X system to run our
>> applications on. The demo was last week in London and we have some
>> time to upstream our changes this month. That includes adding
>> combination constraints, label-to-color mapping and migration tools  
>> to
>> mcstransd and pushing it into a public repo for community  
>> consideration.
>
> Have you considered making a Xen image of that available for public  
> download?

No. I like the idea, but don't have the time right now.

I would rather see the Fedora re-spin process be capable of a MLS Live  
CD. It might be pretty close these days, but I haven't tried it in  
about 12 months.

joe


> One item on my todo list is to prepared some Xen images of SE Linux  
> for
> download so that people can try it out.  I have recently acquired a  
> suitable
> server (thanks to a generous German friend) and now only need to  
> find the
> time.
>
> Another item on my todo list is to run a Xen server for public SE  
> Linux
> training.  Hopefully I will get that done in a couple of weeks.
>
> Also I'm idly considering putting a Debian SE Linux image on EC2.   
> I'm not
> sure if that would interest anyone though.
>
> -- 
> russell@coker.com.au
> http://etbe.coker.com.au/          My Blog
>
> http://www.coker.com.au/sponsorship.html Sponsoring Free Software  
> development


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.