From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from zombie2.ncsc.mil (zombie2.ncsc.mil [144.51.88.133])
	by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id mA3BnlZK001564
	for <selinux@tycho.nsa.gov>; Mon, 3 Nov 2008 06:49:47 -0500
Received: from house.lunarmania.com (jazzdrum.ncsc.mil [144.51.5.7])
	by zombie2.ncsc.mil (8.12.10/8.12.10) with ESMTP id mA3Bm5TD025844
	for <selinux@tycho.nsa.gov>; Mon, 3 Nov 2008 11:48:10 GMT
Received: from 83-131-241-229.adsl.net.t-com.hr ([83.131.241.229] helo=[192.168.1.22])
	by house.lunarmania.com with esmtpsa (TLSv1:AES256-SHA:256)
	(Exim 4.69)
	(envelope-from <warner@rubix.com>)
	id 1Kwxw6-0000bV-W6
	for selinux@tycho.nsa.gov; Mon, 03 Nov 2008 03:49:35 -0800
Message-ID: <490EE548.60400@rubix.com>
Date: Mon, 03 Nov 2008 12:49:28 +0100
From: Andy Warner <warner@rubix.com>
MIME-Version: 1.0
To: selinux@tycho.nsa.gov
Subject: Label Translation on Fedora 9
Content-Type: multipart/alternative;
 boundary="------------050700070302060603060007"
Sender: owner-selinux@tycho.nsa.gov
List-Id: selinux@tycho.nsa.gov

This is a multi-part message in MIME format.
--------------050700070302060603060007
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

I am running Fedora 9 with the MLS policy and see no evidence that the 
label translation is enabled. I am using the default setrans.conf and 
the "disable=1" flag is commented out.

Using the selinux_trans_to_raw (e.g., with a SystemHigh level) produces 
the exact same label string as passed in which will not pass validation 
(using s15:c0.c1023 will pass validation).

Trying id-Z followed by newrole produces:
id -Z
warner_u:secadm_r:secadm_t:s0-s15:c0.c1023

newrole -l SystemLow-SystemHigh
warner_u:secadm_r:secadm_t:SystemLow-SystemHigh is not a valid context

Is there something that must be done to activate label translation?

thanks

Andy

--------------050700070302060603060007
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
</head>
<body bgcolor="#ffffff" text="#000000">
<font face="Arial">I am running Fedora 9 with the MLS policy and see no
evidence that the label translation is enabled. I am using the default
setrans.conf and the "disable=1" flag is commented out.<br>
<br>
Using the selinux_trans_to_raw (e.g., with a SystemHigh level) produces
the exact same label string as passed in which will not pass validation
(using s15:c0.c1023 will pass validation). <br>
<br>
Trying id-Z followed by newrole produces:<br>
id -Z<br>
warner_u:secadm_r:secadm_t:s0-s15:c0.c1023<br>
<br>
newrole -l SystemLow-SystemHigh<br>
warner_u:secadm_r:secadm_t:</font><font face="Arial">SystemLow-SystemHigh
is not a valid context<br>
<br>
Is there something that must be done to activate label translation?<br>
<br>
thanks <br>
<br>
Andy<br>
</font>
</body>
</html>

--------------050700070302060603060007--

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

From mboxrd@z Thu Jan  1 00:00:00 1970
Subject: Re: Label Translation on Fedora 9
From: Stephen Smalley <sds@tycho.nsa.gov>
To: Andy Warner <warner@rubix.com>
Cc: selinux@tycho.nsa.gov
In-Reply-To: <490EE548.60400@rubix.com>
References: <490EE548.60400@rubix.com>
Content-Type: text/plain
Date: Mon, 03 Nov 2008 08:29:38 -0500
Message-Id: <1225718978.3609.3.camel@moss-spartans.epoch.ncsc.mil>
Mime-Version: 1.0
Sender: owner-selinux@tycho.nsa.gov
List-Id: selinux@tycho.nsa.gov

On Mon, 2008-11-03 at 12:49 +0100, Andy Warner wrote:
> I am running Fedora 9 with the MLS policy and see no evidence that the
> label translation is enabled. I am using the default setrans.conf and
> the "disable=1" flag is commented out.
> 
> Using the selinux_trans_to_raw (e.g., with a SystemHigh level)
> produces the exact same label string as passed in which will not pass
> validation (using s15:c0.c1023 will pass validation). 
> 
> Trying id-Z followed by newrole produces:
> id -Z
> warner_u:secadm_r:secadm_t:s0-s15:c0.c1023
> 
> newrole -l SystemLow-SystemHigh
> warner_u:secadm_r:secadm_t:SystemLow-SystemHigh is not a valid context
> 
> Is there something that must be done to activate label translation?

Label translation is provided by a daemon, mcstrans.

yum install mcstrans
/sbin/chkconfig mcstrans on
/sbin/service mcstrans start

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

From mboxrd@z Thu Jan  1 00:00:00 1970
Message-ID: <490F00E1.4050704@rubix.com>
Date: Mon, 03 Nov 2008 14:47:13 +0100
From: Andy Warner <warner@rubix.com>
MIME-Version: 1.0
To: Stephen Smalley <sds@tycho.nsa.gov>
CC: selinux@tycho.nsa.gov
Subject: Re: Label Translation on Fedora 9
References: <490EE548.60400@rubix.com> <1225718978.3609.3.camel@moss-spartans.epoch.ncsc.mil>
In-Reply-To: <1225718978.3609.3.camel@moss-spartans.epoch.ncsc.mil>
Content-Type: multipart/alternative;
 boundary="------------030509010202060807080202"
Sender: owner-selinux@tycho.nsa.gov
List-Id: selinux@tycho.nsa.gov

This is a multi-part message in MIME format.
--------------030509010202060807080202
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit



Stephen Smalley wrote:
> On Mon, 2008-11-03 at 12:49 +0100, Andy Warner wrote:
>   
>> I am running Fedora 9 with the MLS policy and see no evidence that the
>> label translation is enabled. I am using the default setrans.conf and
>> the "disable=1" flag is commented out.
>>
>> Using the selinux_trans_to_raw (e.g., with a SystemHigh level)
>> produces the exact same label string as passed in which will not pass
>> validation (using s15:c0.c1023 will pass validation). 
>>
>> Trying id-Z followed by newrole produces:
>> id -Z
>> warner_u:secadm_r:secadm_t:s0-s15:c0.c1023
>>
>> newrole -l SystemLow-SystemHigh
>> warner_u:secadm_r:secadm_t:SystemLow-SystemHigh is not a valid context
>>
>> Is there something that must be done to activate label translation?
>>     
>
> Label translation is provided by a daemon, mcstrans.
>
> yum install mcstrans
> /sbin/chkconfig mcstrans on
> /sbin/service mcstrans start
>   

Thanks. I was not starting the mcstrans service. When I get a 
translation, it seems odd as follows.

without mcstrans:
id -Z
warner_u:secadm_r:secadm_t:s0-s15:c0.c1023

with mcstrans:
id -Z
warner_u:secadm_r:secadm_t:SystemLow:SystemLow-SystemHigh

Is it expected to have the high end of the range expressed as a range? 
The translation table has the following relevant entries:
s0                             SystemLow
s0-s15:c0.c1023      SystemLow-SystemHigh



--------------030509010202060807080202
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<br>
<br>
Stephen Smalley wrote:
<blockquote
 cite="mid:1225718978.3609.3.camel@moss-spartans.epoch.ncsc.mil"
 type="cite">
  <pre wrap="">On Mon, 2008-11-03 at 12:49 +0100, Andy Warner wrote:
  </pre>
  <blockquote type="cite">
    <pre wrap="">I am running Fedora 9 with the MLS policy and see no evidence that the
label translation is enabled. I am using the default setrans.conf and
the "disable=1" flag is commented out.

Using the selinux_trans_to_raw (e.g., with a SystemHigh level)
produces the exact same label string as passed in which will not pass
validation (using s15:c0.c1023 will pass validation). 

Trying id-Z followed by newrole produces:
id -Z
warner_u:secadm_r:secadm_t:s0-s15:c0.c1023

newrole -l SystemLow-SystemHigh
warner_u:secadm_r:secadm_t:SystemLow-SystemHigh is not a valid context

Is there something that must be done to activate label translation?
    </pre>
  </blockquote>
  <pre wrap=""><!---->
Label translation is provided by a daemon, mcstrans.

yum install mcstrans
/sbin/chkconfig mcstrans on
/sbin/service mcstrans start
  </pre>
</blockquote>
<br>
Thanks. I was not starting the mcstrans service. When I get a
translation, it seems odd as follows.<br>
<br>
without mcstrans:<br>
id -Z<br>
warner_u:secadm_r:secadm_t:s0-s15:c0.c1023<br>
<br>
with mcstrans:<br>
id -Z<br>
warner_u:secadm_r:secadm_t:SystemLow:SystemLow-SystemHigh<br>
<br>
Is it expected to have the high end of the range expressed as a range?
The translation table has the following relevant entries:<br>
s0&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp; &nbsp; &nbsp;&nbsp; &nbsp;&nbsp; SystemLow<br>
s0-s15:c0.c1023&nbsp;&nbsp; &nbsp;&nbsp; SystemLow-SystemHigh<br>
<br>
<br>
</body>
</html>

--------------030509010202060807080202--

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

From mboxrd@z Thu Jan  1 00:00:00 1970
Subject: Re: Label Translation on Fedora 9
From: Stephen Smalley <sds@tycho.nsa.gov>
To: Andy Warner <warner@rubix.com>
Cc: selinux@tycho.nsa.gov, Daniel J Walsh <dwalsh@redhat.com>
In-Reply-To: <490F00E1.4050704@rubix.com>
References: <490EE548.60400@rubix.com>
	 <1225718978.3609.3.camel@moss-spartans.epoch.ncsc.mil>
	 <490F00E1.4050704@rubix.com>
Content-Type: text/plain
Date: Mon, 03 Nov 2008 08:51:49 -0500
Message-Id: <1225720309.3609.24.camel@moss-spartans.epoch.ncsc.mil>
Mime-Version: 1.0
Sender: owner-selinux@tycho.nsa.gov
List-Id: selinux@tycho.nsa.gov

On Mon, 2008-11-03 at 14:47 +0100, Andy Warner wrote:
> 
> 
> Stephen Smalley wrote: 
> > On Mon, 2008-11-03 at 12:49 +0100, Andy Warner wrote:
> >   
> > > I am running Fedora 9 with the MLS policy and see no evidence that the
> > > label translation is enabled. I am using the default setrans.conf and
> > > the "disable=1" flag is commented out.
> > > 
> > > Using the selinux_trans_to_raw (e.g., with a SystemHigh level)
> > > produces the exact same label string as passed in which will not pass
> > > validation (using s15:c0.c1023 will pass validation). 
> > > 
> > > Trying id-Z followed by newrole produces:
> > > id -Z
> > > warner_u:secadm_r:secadm_t:s0-s15:c0.c1023
> > > 
> > > newrole -l SystemLow-SystemHigh
> > > warner_u:secadm_r:secadm_t:SystemLow-SystemHigh is not a valid context
> > > 
> > > Is there something that must be done to activate label translation?
> > >     
> > 
> > Label translation is provided by a daemon, mcstrans.
> > 
> > yum install mcstrans
> > /sbin/chkconfig mcstrans on
> > /sbin/service mcstrans start
> >   
> 
> Thanks. I was not starting the mcstrans service. When I get a
> translation, it seems odd as follows.
> 
> without mcstrans:
> id -Z
> warner_u:secadm_r:secadm_t:s0-s15:c0.c1023
> 
> with mcstrans:
> id -Z
> warner_u:secadm_r:secadm_t:SystemLow:SystemLow-SystemHigh
> 
> Is it expected to have the high end of the range expressed as a range?
> The translation table has the following relevant entries:
> s0                             SystemLow
> s0-s15:c0.c1023      SystemLow-SystemHigh

No, that looks wrong to me as well.  cc'ing Dan Walsh of Red Hat, who
maintains mcstrans.

BTW, if you are looking for more complete MLS label translation support,
you might try the extended mcstrans posted by Joe Nall.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Paul Moore <paul.moore@hp.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: Label Translation on Fedora 9
Date: Mon, 3 Nov 2008 11:29:58 -0500
Cc: Andy Warner <warner@rubix.com>, selinux@tycho.nsa.gov,
        Daniel J Walsh <dwalsh@redhat.com>, Joe Nall <joe@nall.com>
References: <490EE548.60400@rubix.com> <490F00E1.4050704@rubix.com> <1225720309.3609.24.camel@moss-spartans.epoch.ncsc.mil>
In-Reply-To: <1225720309.3609.24.camel@moss-spartans.epoch.ncsc.mil>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Message-Id: <200811031129.58700.paul.moore@hp.com>
Sender: owner-selinux@tycho.nsa.gov
List-Id: selinux@tycho.nsa.gov

On Monday 03 November 2008 8:51:49 am Stephen Smalley wrote:
> On Mon, 2008-11-03 at 14:47 +0100, Andy Warner wrote:
> > Stephen Smalley wrote:
> > > On Mon, 2008-11-03 at 12:49 +0100, Andy Warner wrote:
> > > > I am running Fedora 9 with the MLS policy and see no evidence
> > > > that the label translation is enabled. I am using the default
> > > > setrans.conf and the "disable=1" flag is commented out.
> > > >
> > > > Using the selinux_trans_to_raw (e.g., with a SystemHigh level)
> > > > produces the exact same label string as passed in which will
> > > > not pass validation (using s15:c0.c1023 will pass validation).
> > > >
> > > > Trying id-Z followed by newrole produces:
> > > > id -Z
> > > > warner_u:secadm_r:secadm_t:s0-s15:c0.c1023
> > > >
> > > > newrole -l SystemLow-SystemHigh
> > > > warner_u:secadm_r:secadm_t:SystemLow-SystemHigh is not a valid
> > > > context
> > > >
> > > > Is there something that must be done to activate label
> > > > translation?
> > >
> > > Label translation is provided by a daemon, mcstrans.
> > >
> > > yum install mcstrans
> > > /sbin/chkconfig mcstrans on
> > > /sbin/service mcstrans start
> >
> > Thanks. I was not starting the mcstrans service. When I get a
> > translation, it seems odd as follows.
> >
> > without mcstrans:
> > id -Z
> > warner_u:secadm_r:secadm_t:s0-s15:c0.c1023
> >
> > with mcstrans:
> > id -Z
> > warner_u:secadm_r:secadm_t:SystemLow:SystemLow-SystemHigh
> >
> > Is it expected to have the high end of the range expressed as a
> > range? The translation table has the following relevant entries:
> > s0                             SystemLow
> > s0-s15:c0.c1023      SystemLow-SystemHigh
>
> No, that looks wrong to me as well.  cc'ing Dan Walsh of Red Hat, who
> maintains mcstrans.
>
> BTW, if you are looking for more complete MLS label translation
> support, you might try the extended mcstrans posted by Joe Nall.

What is the status of the patch?  I vaguely remember a little bit of 
discussion/review about the patch but it's not clear to me if it was 
ever accepted into upstream/Fedora and if it wasn't what the next steps 
were going to be ...

-- 
paul moore
linux @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

From mboxrd@z Thu Jan  1 00:00:00 1970
Message-ID: <490F6059.3010106@redhat.com>
Date: Mon, 03 Nov 2008 15:34:33 -0500
From: Daniel J Walsh <dwalsh@redhat.com>
MIME-Version: 1.0
To: Paul Moore <paul.moore@hp.com>
CC: Stephen Smalley <sds@tycho.nsa.gov>, Andy Warner <warner@rubix.com>,
        selinux@tycho.nsa.gov, Joe Nall <joe@nall.com>
Subject: Re: Label Translation on Fedora 9
References: <490EE548.60400@rubix.com> <490F00E1.4050704@rubix.com> <1225720309.3609.24.camel@moss-spartans.epoch.ncsc.mil> <200811031129.58700.paul.moore@hp.com>
In-Reply-To: <200811031129.58700.paul.moore@hp.com>
Content-Type: text/plain; charset=ISO-8859-1
Sender: owner-selinux@tycho.nsa.gov
List-Id: selinux@tycho.nsa.gov

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paul Moore wrote:
> On Monday 03 November 2008 8:51:49 am Stephen Smalley wrote:
>> On Mon, 2008-11-03 at 14:47 +0100, Andy Warner wrote:
>>> Stephen Smalley wrote:
>>>> On Mon, 2008-11-03 at 12:49 +0100, Andy Warner wrote:
>>>>> I am running Fedora 9 with the MLS policy and see no evidence
>>>>> that the label translation is enabled. I am using the default
>>>>> setrans.conf and the "disable=1" flag is commented out.
>>>>>
>>>>> Using the selinux_trans_to_raw (e.g., with a SystemHigh level)
>>>>> produces the exact same label string as passed in which will
>>>>> not pass validation (using s15:c0.c1023 will pass validation).
>>>>>
>>>>> Trying id-Z followed by newrole produces:
>>>>> id -Z
>>>>> warner_u:secadm_r:secadm_t:s0-s15:c0.c1023
>>>>>
>>>>> newrole -l SystemLow-SystemHigh
>>>>> warner_u:secadm_r:secadm_t:SystemLow-SystemHigh is not a valid
>>>>> context
>>>>>
>>>>> Is there something that must be done to activate label
>>>>> translation?
>>>> Label translation is provided by a daemon, mcstrans.
>>>>
>>>> yum install mcstrans
>>>> /sbin/chkconfig mcstrans on
>>>> /sbin/service mcstrans start
>>> Thanks. I was not starting the mcstrans service. When I get a
>>> translation, it seems odd as follows.
>>>
>>> without mcstrans:
>>> id -Z
>>> warner_u:secadm_r:secadm_t:s0-s15:c0.c1023
>>>
>>> with mcstrans:
>>> id -Z
>>> warner_u:secadm_r:secadm_t:SystemLow:SystemLow-SystemHigh
>>>
>>> Is it expected to have the high end of the range expressed as a
>>> range? The translation table has the following relevant entries:
>>> s0                             SystemLow
>>> s0-s15:c0.c1023      SystemLow-SystemHigh
>> No, that looks wrong to me as well.  cc'ing Dan Walsh of Red Hat, who
>> maintains mcstrans.
>>
>> BTW, if you are looking for more complete MLS label translation
>> support, you might try the extended mcstrans posted by Joe Nall.
> 
> What is the status of the patch?  I vaguely remember a little bit of 
> discussion/review about the patch but it's not clear to me if it was 
> ever accepted into upstream/Fedora and if it wasn't what the next steps 
> were going to be ...
> 
Good question, we have let this slip through the cracks.  I would like
to replace my library totally with Joe's.  The only concern would be to
allow people who used my format to convert to the new format if possible
or at least document how to do this.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkkPYFkACgkQrlYvE4MpobOZRQCfbG2Nk+8sRypiJgSjIATHqLeI
jz4An3xTcOjf4ZJpwP2j0PtnM+bPRrR7
=iNCh
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

From mboxrd@z Thu Jan  1 00:00:00 1970
Cc: Paul Moore <paul.moore@hp.com>, Stephen Smalley <sds@tycho.nsa.gov>,
        Andy Warner <warner@rubix.com>, selinux@tycho.nsa.gov
Message-Id: <354D5A91-3C3C-4AFC-8062-72382AFD55BE@nall.com>
From: Joe Nall <joe@nall.com>
To: Daniel J Walsh <dwalsh@redhat.com>
In-Reply-To: <490F6059.3010106@redhat.com>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Mime-Version: 1.0 (Apple Message framework v929.2)
Subject: Re: Label Translation on Fedora 9
Date: Sun, 9 Nov 2008 12:26:58 -0600
References: <490EE548.60400@rubix.com> <490F00E1.4050704@rubix.com> <1225720309.3609.24.camel@moss-spartans.epoch.ncsc.mil> <200811031129.58700.paul.moore@hp.com> <490F6059.3010106@redhat.com>
Sender: owner-selinux@tycho.nsa.gov
List-Id: selinux@tycho.nsa.gov


On Nov 3, 2008, at 2:34 PM, Daniel J Walsh wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Paul Moore wrote:
>> On Monday 03 November 2008 8:51:49 am Stephen Smalley wrote:
>>> On Mon, 2008-11-03 at 14:47 +0100, Andy Warner wrote:
>>>> Stephen Smalley wrote:
>>>>> On Mon, 2008-11-03 at 12:49 +0100, Andy Warner wrote:
>>>>>> I am running Fedora 9 with the MLS policy and see no evidence
>>>>>> that the label translation is enabled. I am using the default
>>>>>> setrans.conf and the "disable=1" flag is commented out.
>>>>>>
>>>>>> Using the selinux_trans_to_raw (e.g., with a SystemHigh level)
>>>>>> produces the exact same label string as passed in which will
>>>>>> not pass validation (using s15:c0.c1023 will pass validation).
>>>>>>
>>>>>> Trying id-Z followed by newrole produces:
>>>>>> id -Z
>>>>>> warner_u:secadm_r:secadm_t:s0-s15:c0.c1023
>>>>>>
>>>>>> newrole -l SystemLow-SystemHigh
>>>>>> warner_u:secadm_r:secadm_t:SystemLow-SystemHigh is not a valid
>>>>>> context
>>>>>>
>>>>>> Is there something that must be done to activate label
>>>>>> translation?
>>>>> Label translation is provided by a daemon, mcstrans.
>>>>>
>>>>> yum install mcstrans
>>>>> /sbin/chkconfig mcstrans on
>>>>> /sbin/service mcstrans start
>>>> Thanks. I was not starting the mcstrans service. When I get a
>>>> translation, it seems odd as follows.
>>>>
>>>> without mcstrans:
>>>> id -Z
>>>> warner_u:secadm_r:secadm_t:s0-s15:c0.c1023
>>>>
>>>> with mcstrans:
>>>> id -Z
>>>> warner_u:secadm_r:secadm_t:SystemLow:SystemLow-SystemHigh
>>>>
>>>> Is it expected to have the high end of the range expressed as a
>>>> range? The translation table has the following relevant entries:
>>>> s0                             SystemLow
>>>> s0-s15:c0.c1023      SystemLow-SystemHigh
>>> No, that looks wrong to me as well.  cc'ing Dan Walsh of Red Hat,  
>>> who
>>> maintains mcstrans.
>>>
>>> BTW, if you are looking for more complete MLS label translation
>>> support, you might try the extended mcstrans posted by Joe Nall.
>>
>> What is the status of the patch?  I vaguely remember a little bit of
>> discussion/review about the patch but it's not clear to me if it was
>> ever accepted into upstream/Fedora and if it wasn't what the next  
>> steps
>> were going to be ...
>>
> Good question, we have let this slip through the cracks.  I would like
> to replace my library totally with Joe's.  The only concern would be  
> to
> allow people who used my format to convert to the new format if  
> possible
> or at least document how to do this.

Sorry about the big delay in closure on this. We have been very busy  
trying to build a demonstrable Fedora based MLS/X system to run our  
applications on. The demo was last week in London and we have some  
time to upstream our changes this month. That includes adding  
combination constraints, label-to-color mapping and migration tools to  
mcstransd and pushing it into a public repo for community consideration.

joe



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Paul Moore <paul.moore@hp.com>
To: Joe Nall <joe@nall.com>
Subject: Re: Label Translation on Fedora 9
Date: Mon, 10 Nov 2008 10:56:57 -0500
Cc: Daniel J Walsh <dwalsh@redhat.com>, Stephen Smalley <sds@tycho.nsa.gov>,
        Andy Warner <warner@rubix.com>, selinux@tycho.nsa.gov
References: <490EE548.60400@rubix.com> <490F6059.3010106@redhat.com> <354D5A91-3C3C-4AFC-8062-72382AFD55BE@nall.com>
In-Reply-To: <354D5A91-3C3C-4AFC-8062-72382AFD55BE@nall.com>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Message-Id: <200811101056.57415.paul.moore@hp.com>
Sender: owner-selinux@tycho.nsa.gov
List-Id: selinux@tycho.nsa.gov

On Sunday 09 November 2008 1:26:58 pm Joe Nall wrote:
> On Nov 3, 2008, at 2:34 PM, Daniel J Walsh wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Paul Moore wrote:
> >> On Monday 03 November 2008 8:51:49 am Stephen Smalley wrote:
> >>> On Mon, 2008-11-03 at 14:47 +0100, Andy Warner wrote:
> >>>> Stephen Smalley wrote:
> >>>>> On Mon, 2008-11-03 at 12:49 +0100, Andy Warner wrote:
> >>>>>> I am running Fedora 9 with the MLS policy and see no evidence
> >>>>>> that the label translation is enabled. I am using the default
> >>>>>> setrans.conf and the "disable=1" flag is commented out.
> >>>>>>
> >>>>>> Using the selinux_trans_to_raw (e.g., with a SystemHigh level)
> >>>>>> produces the exact same label string as passed in which will
> >>>>>> not pass validation (using s15:c0.c1023 will pass validation).
> >>>>>>
> >>>>>> Trying id-Z followed by newrole produces:
> >>>>>> id -Z
> >>>>>> warner_u:secadm_r:secadm_t:s0-s15:c0.c1023
> >>>>>>
> >>>>>> newrole -l SystemLow-SystemHigh
> >>>>>> warner_u:secadm_r:secadm_t:SystemLow-SystemHigh is not a valid
> >>>>>> context
> >>>>>>
> >>>>>> Is there something that must be done to activate label
> >>>>>> translation?
> >>>>>
> >>>>> Label translation is provided by a daemon, mcstrans.
> >>>>>
> >>>>> yum install mcstrans
> >>>>> /sbin/chkconfig mcstrans on
> >>>>> /sbin/service mcstrans start
> >>>>
> >>>> Thanks. I was not starting the mcstrans service. When I get a
> >>>> translation, it seems odd as follows.
> >>>>
> >>>> without mcstrans:
> >>>> id -Z
> >>>> warner_u:secadm_r:secadm_t:s0-s15:c0.c1023
> >>>>
> >>>> with mcstrans:
> >>>> id -Z
> >>>> warner_u:secadm_r:secadm_t:SystemLow:SystemLow-SystemHigh
> >>>>
> >>>> Is it expected to have the high end of the range expressed as a
> >>>> range? The translation table has the following relevant entries:
> >>>> s0                             SystemLow
> >>>> s0-s15:c0.c1023      SystemLow-SystemHigh
> >>>
> >>> No, that looks wrong to me as well.  cc'ing Dan Walsh of Red Hat,
> >>> who
> >>> maintains mcstrans.
> >>>
> >>> BTW, if you are looking for more complete MLS label translation
> >>> support, you might try the extended mcstrans posted by Joe Nall.
> >>
> >> What is the status of the patch?  I vaguely remember a little bit
> >> of discussion/review about the patch but it's not clear to me if
> >> it was ever accepted into upstream/Fedora and if it wasn't what
> >> the next steps
> >> were going to be ...
> >
> > Good question, we have let this slip through the cracks.  I would
> > like to replace my library totally with Joe's.  The only concern
> > would be to
> > allow people who used my format to convert to the new format if
> > possible
> > or at least document how to do this.
>
> Sorry about the big delay in closure on this. We have been very busy
> trying to build a demonstrable Fedora based MLS/X system to run our
> applications on. The demo was last week in London and we have some
> time to upstream our changes this month. That includes adding
> combination constraints, label-to-color mapping and migration tools
> to mcstransd and pushing it into a public repo for community
> consideration.

Cool.  Do the current X/metacity patches support label coloring?

-- 
paul moore
linux @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

From mboxrd@z Thu Jan  1 00:00:00 1970
Message-ID: <cadfc0e40811100810y539d09cege4fd2c2fa064d3c2@mail.gmail.com>
Date: Mon, 10 Nov 2008 10:10:49 -0600
From: "Xavier Toth" <txtoth@gmail.com>
To: "Paul Moore" <paul.moore@hp.com>
Subject: Re: Label Translation on Fedora 9
Cc: "Joe Nall" <joe@nall.com>, "Daniel J Walsh" <dwalsh@redhat.com>,
        "Stephen Smalley" <sds@tycho.nsa.gov>,
        "Andy Warner" <warner@rubix.com>, selinux@tycho.nsa.gov
In-Reply-To: <200811101056.57415.paul.moore@hp.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
References: <490EE548.60400@rubix.com> <490F6059.3010106@redhat.com>
	 <354D5A91-3C3C-4AFC-8062-72382AFD55BE@nall.com>
	 <200811101056.57415.paul.moore@hp.com>
Sender: owner-selinux@tycho.nsa.gov
List-Id: selinux@tycho.nsa.gov

On Mon, Nov 10, 2008 at 9:56 AM, Paul Moore <paul.moore@hp.com> wrote:
> On Sunday 09 November 2008 1:26:58 pm Joe Nall wrote:
>> On Nov 3, 2008, at 2:34 PM, Daniel J Walsh wrote:
>> > -----BEGIN PGP SIGNED MESSAGE-----
>> > Hash: SHA1
>> >
>> > Paul Moore wrote:
>> >> On Monday 03 November 2008 8:51:49 am Stephen Smalley wrote:
>> >>> On Mon, 2008-11-03 at 14:47 +0100, Andy Warner wrote:
>> >>>> Stephen Smalley wrote:
>> >>>>> On Mon, 2008-11-03 at 12:49 +0100, Andy Warner wrote:
>> >>>>>> I am running Fedora 9 with the MLS policy and see no evidence
>> >>>>>> that the label translation is enabled. I am using the default
>> >>>>>> setrans.conf and the "disable=1" flag is commented out.
>> >>>>>>
>> >>>>>> Using the selinux_trans_to_raw (e.g., with a SystemHigh level)
>> >>>>>> produces the exact same label string as passed in which will
>> >>>>>> not pass validation (using s15:c0.c1023 will pass validation).
>> >>>>>>
>> >>>>>> Trying id-Z followed by newrole produces:
>> >>>>>> id -Z
>> >>>>>> warner_u:secadm_r:secadm_t:s0-s15:c0.c1023
>> >>>>>>
>> >>>>>> newrole -l SystemLow-SystemHigh
>> >>>>>> warner_u:secadm_r:secadm_t:SystemLow-SystemHigh is not a valid
>> >>>>>> context
>> >>>>>>
>> >>>>>> Is there something that must be done to activate label
>> >>>>>> translation?
>> >>>>>
>> >>>>> Label translation is provided by a daemon, mcstrans.
>> >>>>>
>> >>>>> yum install mcstrans
>> >>>>> /sbin/chkconfig mcstrans on
>> >>>>> /sbin/service mcstrans start
>> >>>>
>> >>>> Thanks. I was not starting the mcstrans service. When I get a
>> >>>> translation, it seems odd as follows.
>> >>>>
>> >>>> without mcstrans:
>> >>>> id -Z
>> >>>> warner_u:secadm_r:secadm_t:s0-s15:c0.c1023
>> >>>>
>> >>>> with mcstrans:
>> >>>> id -Z
>> >>>> warner_u:secadm_r:secadm_t:SystemLow:SystemLow-SystemHigh
>> >>>>
>> >>>> Is it expected to have the high end of the range expressed as a
>> >>>> range? The translation table has the following relevant entries:
>> >>>> s0                             SystemLow
>> >>>> s0-s15:c0.c1023      SystemLow-SystemHigh
>> >>>
>> >>> No, that looks wrong to me as well.  cc'ing Dan Walsh of Red Hat,
>> >>> who
>> >>> maintains mcstrans.
>> >>>
>> >>> BTW, if you are looking for more complete MLS label translation
>> >>> support, you might try the extended mcstrans posted by Joe Nall.
>> >>
>> >> What is the status of the patch?  I vaguely remember a little bit
>> >> of discussion/review about the patch but it's not clear to me if
>> >> it was ever accepted into upstream/Fedora and if it wasn't what
>> >> the next steps
>> >> were going to be ...
>> >
>> > Good question, we have let this slip through the cracks.  I would
>> > like to replace my library totally with Joe's.  The only concern
>> > would be to
>> > allow people who used my format to convert to the new format if
>> > possible
>> > or at least document how to do this.
>>
>> Sorry about the big delay in closure on this. We have been very busy
>> trying to build a demonstrable Fedora based MLS/X system to run our
>> applications on. The demo was last week in London and we have some
>> time to upstream our changes this month. That includes adding
>> combination constraints, label-to-color mapping and migration tools
>> to mcstransd and pushing it into a public repo for community
>> consideration.
>
> Cool.  Do the current X/metacity patches support label coloring?
>
> --
> paul moore
> linux @ hp
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>

No.

Ted

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

From mboxrd@z Thu Jan  1 00:00:00 1970
Cc: Daniel J Walsh <dwalsh@redhat.com>, Stephen Smalley <sds@tycho.nsa.gov>,
        Andy Warner <warner@rubix.com>, SE Linux <selinux@tycho.nsa.gov>,
        Xavier Toth <txtoth@gmail.com>
Message-Id: <97946D1C-80A3-448E-9CC2-1F020D479D40@nall.com>
From: Joe Nall <joe@nall.com>
To: Paul Moore <paul.moore@hp.com>
In-Reply-To: <cadfc0e40811100810y539d09cege4fd2c2fa064d3c2@mail.gmail.com>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Mime-Version: 1.0 (Apple Message framework v929.2)
Subject: Re: Label Translation on Fedora 9
Date: Mon, 10 Nov 2008 10:16:43 -0600
References: <490EE548.60400@rubix.com> <490F6059.3010106@redhat.com> <354D5A91-3C3C-4AFC-8062-72382AFD55BE@nall.com> <200811101056.57415.paul.moore@hp.com> <cadfc0e40811100810y539d09cege4fd2c2fa064d3c2@mail.gmail.com>
Sender: owner-selinux@tycho.nsa.gov
List-Id: selinux@tycho.nsa.gov


On Nov 10, 2008, at 10:10 AM, Xavier Toth wrote:

> On Mon, Nov 10, 2008 at 9:56 AM, Paul Moore <paul.moore@hp.com> wrote:
>> ...
>> Cool.  Do the current X/metacity patches support label coloring?
>>
>> --
>> paul moore
>> linux @ hp
>
> No.
>
> Ted

Ted has unreleased patches to metacity and openbox support the  
coloring the window banner based on classification. We want to move  
the code from a shared library to mcstransd before releasing them into  
the wild.

He also wrote a simple banner program to show the current session  
level. It needs to run in a protected type and better defend its  
screen real estate or be integrated into X or the window manager.

joe


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Paul Moore <paul.moore@hp.com>
To: "Xavier Toth" <txtoth@gmail.com>
Subject: Re: Label Translation on Fedora 9
Date: Mon, 10 Nov 2008 11:26:13 -0500
Cc: "Joe Nall" <joe@nall.com>, "Daniel J Walsh" <dwalsh@redhat.com>,
        "Stephen Smalley" <sds@tycho.nsa.gov>,
        "Andy Warner" <warner@rubix.com>, selinux@tycho.nsa.gov
References: <490EE548.60400@rubix.com> <200811101056.57415.paul.moore@hp.com> <cadfc0e40811100810y539d09cege4fd2c2fa064d3c2@mail.gmail.com>
In-Reply-To: <cadfc0e40811100810y539d09cege4fd2c2fa064d3c2@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Message-Id: <200811101126.13750.paul.moore@hp.com>
Sender: owner-selinux@tycho.nsa.gov
List-Id: selinux@tycho.nsa.gov

On Monday 10 November 2008 11:10:49 am Xavier Toth wrote:
> On Mon, Nov 10, 2008 at 9:56 AM, Paul Moore <paul.moore@hp.com> wrote:
> > On Sunday 09 November 2008 1:26:58 pm Joe Nall wrote:
> >> Sorry about the big delay in closure on this. We have been very
> >> busy trying to build a demonstrable Fedora based MLS/X system to
> >> run our applications on. The demo was last week in London and we
> >> have some time to upstream our changes this month. That includes
> >> adding combination constraints, label-to-color mapping and
> >> migration tools to mcstransd and pushing it into a public repo for
> >> community consideration.
> >
> > Cool.  Do the current X/metacity patches support label coloring?
>
> No.

Okay, just out of curiosity is this being worked on?  Also, what other 
applications are there for label coloring?

I'm just trying to understand things a little better.

-- 
paul moore
linux @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

From mboxrd@z Thu Jan  1 00:00:00 1970
Message-ID: <cadfc0e40811100834j4945c30eu13d8b255f9fad32f@mail.gmail.com>
Date: Mon, 10 Nov 2008 10:34:54 -0600
From: "Xavier Toth" <txtoth@gmail.com>
To: "Paul Moore" <paul.moore@hp.com>
Subject: Re: Label Translation on Fedora 9
Cc: "Joe Nall" <joe@nall.com>, "Daniel J Walsh" <dwalsh@redhat.com>,
        "Stephen Smalley" <sds@tycho.nsa.gov>,
        "Andy Warner" <warner@rubix.com>, selinux@tycho.nsa.gov
In-Reply-To: <200811101126.13750.paul.moore@hp.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
References: <490EE548.60400@rubix.com> <200811101056.57415.paul.moore@hp.com>
	 <cadfc0e40811100810y539d09cege4fd2c2fa064d3c2@mail.gmail.com>
	 <200811101126.13750.paul.moore@hp.com>
Sender: owner-selinux@tycho.nsa.gov
List-Id: selinux@tycho.nsa.gov

On Mon, Nov 10, 2008 at 10:26 AM, Paul Moore <paul.moore@hp.com> wrote:
> On Monday 10 November 2008 11:10:49 am Xavier Toth wrote:
>> On Mon, Nov 10, 2008 at 9:56 AM, Paul Moore <paul.moore@hp.com> wrote:
>> > On Sunday 09 November 2008 1:26:58 pm Joe Nall wrote:
>> >> Sorry about the big delay in closure on this. We have been very
>> >> busy trying to build a demonstrable Fedora based MLS/X system to
>> >> run our applications on. The demo was last week in London and we
>> >> have some time to upstream our changes this month. That includes
>> >> adding combination constraints, label-to-color mapping and
>> >> migration tools to mcstransd and pushing it into a public repo for
>> >> community consideration.
>> >
>> > Cool.  Do the current X/metacity patches support label coloring?
>>
>> No.
>
> Okay, just out of curiosity is this being worked on?  Also, what other
> applications are there for label coloring?
>
> I'm just trying to understand things a little better.
>
> --
> paul moore
> linux @ hp
>

Once we get color support in Joe's version of mcstrans I'll integrate
color support into metacity and openbox and then work on getting it
upstreamed. Aside from mcstrans modifications this will require
libselinux changes to implement new apis to get color based on
context. I'm not sure what other applications there are for label
coloring.

Ted

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Paul Moore <paul.moore@hp.com>
To: Joe Nall <joe@nall.com>, Xavier Toth <txtoth@gmail.com>
Subject: Re: Label Translation on Fedora 9
Date: Mon, 10 Nov 2008 11:53:30 -0500
Cc: Daniel J Walsh <dwalsh@redhat.com>, Stephen Smalley <sds@tycho.nsa.gov>,
        Andy Warner <warner@rubix.com>, SE Linux <selinux@tycho.nsa.gov>
References: <490EE548.60400@rubix.com> <cadfc0e40811100810y539d09cege4fd2c2fa064d3c2@mail.gmail.com> <97946D1C-80A3-448E-9CC2-1F020D479D40@nall.com>
In-Reply-To: <97946D1C-80A3-448E-9CC2-1F020D479D40@nall.com>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Message-Id: <200811101153.30563.paul.moore@hp.com>
Sender: owner-selinux@tycho.nsa.gov
List-Id: selinux@tycho.nsa.gov

On Monday 10 November 2008 11:16:43 am Joe Nall wrote:
> On Nov 10, 2008, at 10:10 AM, Xavier Toth wrote:
> > On Mon, Nov 10, 2008 at 9:56 AM, Paul Moore <paul.moore@hp.com> 
wrote:
> >> ...
> >> Cool.  Do the current X/metacity patches support label coloring?
> >>
> >> --
> >> paul moore
> >> linux @ hp
> >
> > No.
> >
> > Ted
>
> Ted has unreleased patches to metacity and openbox support the
> coloring the window banner based on classification. We want to move
> the code from a shared library to mcstransd before releasing them
> into the wild.
>
> He also wrote a simple banner program to show the current session
> level. It needs to run in a protected type and better defend its
> screen real estate or be integrated into X or the window manager.

Okay, sounds good.  Thanks for the update.

-- 
paul moore
linux @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Russell Coker <russell@coker.com.au>
Reply-To: russell@coker.com.au
To: Joe Nall <joe@nall.com>
Subject: Re: Label Translation on Fedora 9
Date: Wed, 12 Nov 2008 20:23:27 +1100
Cc: Daniel J Walsh <dwalsh@redhat.com>, Paul Moore <paul.moore@hp.com>,
        Stephen Smalley <sds@tycho.nsa.gov>, Andy Warner <warner@rubix.com>,
        selinux@tycho.nsa.gov
References: <490EE548.60400@rubix.com> <490F6059.3010106@redhat.com> <354D5A91-3C3C-4AFC-8062-72382AFD55BE@nall.com>
In-Reply-To: <354D5A91-3C3C-4AFC-8062-72382AFD55BE@nall.com>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Message-Id: <200811122023.32169.russell@coker.com.au>
Sender: owner-selinux@tycho.nsa.gov
List-Id: selinux@tycho.nsa.gov

On Monday 10 November 2008 05:26, Joe Nall <joe@nall.com> wrote:
> Sorry about the big delay in closure on this. We have been very busy  
> trying to build a demonstrable Fedora based MLS/X system to run our  
> applications on. The demo was last week in London and we have some  
> time to upstream our changes this month. That includes adding  
> combination constraints, label-to-color mapping and migration tools to  
> mcstransd and pushing it into a public repo for community consideration.

Have you considered making a Xen image of that available for public download?

One item on my todo list is to prepared some Xen images of SE Linux for 
download so that people can try it out.  I have recently acquired a suitable 
server (thanks to a generous German friend) and now only need to find the 
time.

Another item on my todo list is to run a Xen server for public SE Linux 
training.  Hopefully I will get that done in a couple of weeks.

Also I'm idly considering putting a Debian SE Linux image on EC2.  I'm not 
sure if that would interest anyone though.

-- 
russell@coker.com.au
http://etbe.coker.com.au/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

From mboxrd@z Thu Jan  1 00:00:00 1970
Cc: Daniel J Walsh <dwalsh@redhat.com>, Paul Moore <paul.moore@hp.com>,
        Stephen Smalley <sds@tycho.nsa.gov>, Andy Warner <warner@rubix.com>,
        selinux@tycho.nsa.gov
Message-Id: <9E8AB73F-4BE2-48A3-927F-12B5C17DE0EF@nall.com>
From: Joe Nall <joe@nall.com>
To: russell@coker.com.au
In-Reply-To: <200811122023.32169.russell@coker.com.au>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Mime-Version: 1.0 (Apple Message framework v929.2)
Subject: Re: Label Translation on Fedora 9
Date: Wed, 12 Nov 2008 07:57:12 -0600
References: <490EE548.60400@rubix.com> <490F6059.3010106@redhat.com> <354D5A91-3C3C-4AFC-8062-72382AFD55BE@nall.com> <200811122023.32169.russell@coker.com.au>
Sender: owner-selinux@tycho.nsa.gov
List-Id: selinux@tycho.nsa.gov


On Nov 12, 2008, at 3:23 AM, Russell Coker wrote:

> On Monday 10 November 2008 05:26, Joe Nall <joe@nall.com> wrote:
>> Sorry about the big delay in closure on this. We have been very busy
>> trying to build a demonstrable Fedora based MLS/X system to run our
>> applications on. The demo was last week in London and we have some
>> time to upstream our changes this month. That includes adding
>> combination constraints, label-to-color mapping and migration tools  
>> to
>> mcstransd and pushing it into a public repo for community  
>> consideration.
>
> Have you considered making a Xen image of that available for public  
> download?

No. I like the idea, but don't have the time right now.

I would rather see the Fedora re-spin process be capable of a MLS Live  
CD. It might be pretty close these days, but I haven't tried it in  
about 12 months.

joe


> One item on my todo list is to prepared some Xen images of SE Linux  
> for
> download so that people can try it out.  I have recently acquired a  
> suitable
> server (thanks to a generous German friend) and now only need to  
> find the
> time.
>
> Another item on my todo list is to run a Xen server for public SE  
> Linux
> training.  Hopefully I will get that done in a couple of weeks.
>
> Also I'm idly considering putting a Debian SE Linux image on EC2.   
> I'm not
> sure if that would interest anyone though.
>
> -- 
> russell@coker.com.au
> http://etbe.coker.com.au/          My Blog
>
> http://www.coker.com.au/sponsorship.html Sponsoring Free Software  
> development


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.