* [refpolicy] kernel_corenetwork.te.in.patch
@ 2009-05-21 15:15 Daniel J Walsh
0 siblings, 0 replies; 12+ messages in thread
From: Daniel J Walsh @ 2009-05-21 15:15 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F11/kernel_corenetwork.te.in.patch
Lots of new port types and ports modifies to include addition port numbers.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] kernel_corenetwork.te.in.patch
@ 2010-06-02 20:18 Daniel J Walsh
2010-06-04 13:52 ` Christopher J. PeBenito
0 siblings, 1 reply; 12+ messages in thread
From: Daniel J Walsh @ 2010-06-02 20:18 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_corenetwork.te.in.patch
tun_tap_device is an mls trusted object
Lots of new port definitions.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] kernel_corenetwork.te.in.patch
2010-06-02 20:18 Daniel J Walsh
@ 2010-06-04 13:52 ` Christopher J. PeBenito
2010-06-04 14:53 ` Daniel J Walsh
0 siblings, 1 reply; 12+ messages in thread
From: Christopher J. PeBenito @ 2010-06-04 13:52 UTC (permalink / raw)
To: refpolicy
On Wed, 2010-06-02 at 16:18 -0400, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_corenetwork.te.in.patch
>
> tun_tap_device is an mls trusted object
Why? This seems wrong to me.
> Lots of new port definitions.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] kernel_corenetwork.te.in.patch
2010-06-04 13:52 ` Christopher J. PeBenito
@ 2010-06-04 14:53 ` Daniel J Walsh
2010-06-04 15:43 ` Christopher J. PeBenito
0 siblings, 1 reply; 12+ messages in thread
From: Daniel J Walsh @ 2010-06-04 14:53 UTC (permalink / raw)
To: refpolicy
On 06/04/2010 09:52 AM, Christopher J. PeBenito wrote:
> On Wed, 2010-06-02 at 16:18 -0400, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_corenetwork.te.in.patch
>>
>> tun_tap_device is an mls trusted object
>
> Why? This seems wrong to me.
>
>> Lots of new port definitions.
>
I think virtual machines at different levels need to talk to this device.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] kernel_corenetwork.te.in.patch
2010-06-04 14:53 ` Daniel J Walsh
@ 2010-06-04 15:43 ` Christopher J. PeBenito
2010-06-04 20:32 ` Daniel J Walsh
0 siblings, 1 reply; 12+ messages in thread
From: Christopher J. PeBenito @ 2010-06-04 15:43 UTC (permalink / raw)
To: refpolicy
On Fri, 2010-06-04 at 10:53 -0400, Daniel J Walsh wrote:
> On 06/04/2010 09:52 AM, Christopher J. PeBenito wrote:
> > On Wed, 2010-06-02 at 16:18 -0400, Daniel J Walsh wrote:
> >> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_corenetwork.te.in.patch
> >>
> >> tun_tap_device is an mls trusted object
> >
> > Why? This seems wrong to me.
> I think virtual machines at different levels need to talk to this device.
But there are several of these devices. Making it trusted means that
theres no separation between the networks, which seems contrary to what
a MLS system would want. More likely, the MLS label needs to be changed
as needed.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] kernel_corenetwork.te.in.patch
2010-06-04 15:43 ` Christopher J. PeBenito
@ 2010-06-04 20:32 ` Daniel J Walsh
[not found] ` <20100607093019.GB19864@redhat.com>
0 siblings, 1 reply; 12+ messages in thread
From: Daniel J Walsh @ 2010-06-04 20:32 UTC (permalink / raw)
To: refpolicy
On 06/04/2010 11:43 AM, Christopher J. PeBenito wrote:
> On Fri, 2010-06-04 at 10:53 -0400, Daniel J Walsh wrote:
>> On 06/04/2010 09:52 AM, Christopher J. PeBenito wrote:
>>> On Wed, 2010-06-02 at 16:18 -0400, Daniel J Walsh wrote:
>>>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_corenetwork.te.in.patch
>>>>
>>>> tun_tap_device is an mls trusted object
>>>
>>> Why? This seems wrong to me.
>
>> I think virtual machines at different levels need to talk to this device.
>
> But there are several of these devices. Making it trusted means that
> theres no separation between the networks, which seems contrary to what
> a MLS system would want. More likely, the MLS label needs to be changed
> as needed.
>
I think the kernel will take care of the isolation.
Eric Dan, Is tuntap device per qemu instance?
^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] kernel_corenetwork.te.in.patch
@ 2010-02-23 21:34 Daniel J Walsh
2010-03-05 18:47 ` Christopher J. PeBenito
0 siblings, 1 reply; 12+ messages in thread
From: Daniel J Walsh @ 2010-02-23 21:34 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F13/kernel_corenetwork.te.in.patch
Still a few extra network ports although less then there used to be.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] kernel_corenetwork.te.in.patch
@ 2009-11-12 20:57 Daniel J Walsh
0 siblings, 0 replies; 12+ messages in thread
From: Daniel J Walsh @ 2009-11-12 20:57 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F12/kernel_corenetwork.te.in.patch
Lots of new ports. For several domains, also split out the asterisk port 5060 to a sid port
^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] kernel_corenetwork.te.in.patch
@ 2009-03-24 13:23 Daniel J Walsh
0 siblings, 0 replies; 12+ messages in thread
From: Daniel J Walsh @ 2009-03-24 13:23 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F11/kernel_corenetwork.te.in.patch
Lots of additional port interfaces.
Need aliases for node_t
^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] kernel_corenetwork.te.in.patch
@ 2009-03-02 22:27 Daniel J Walsh
0 siblings, 0 replies; 12+ messages in thread
From: Daniel J Walsh @ 2009-03-02 22:27 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F11/kernel_corenetwork.te.in.patch
Add definitions for
afs_client, agentx, certmaster, dccm, festival, flash, ftps, kismet, kprop, munin, pingd, pki*, prelude, speech, streaming, virt
Add additional ports for dhcpc, snmp, tor, whois
A range of ports for cyphesis, http_cache, vnc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmsXTwACgkQrlYvE4MpobMHoQCdEgijepdmVYuDq1M9K1jRUf/N
t1MAn0MRc/eOTnkXBMNtC3Nu1b+X5po3
=UZdw
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2010-06-07 12:45 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-05-21 15:15 [refpolicy] kernel_corenetwork.te.in.patch Daniel J Walsh
-- strict thread matches above, loose matches on Subject: below --
2010-06-02 20:18 Daniel J Walsh
2010-06-04 13:52 ` Christopher J. PeBenito
2010-06-04 14:53 ` Daniel J Walsh
2010-06-04 15:43 ` Christopher J. PeBenito
2010-06-04 20:32 ` Daniel J Walsh
[not found] ` <20100607093019.GB19864@redhat.com>
2010-06-07 12:45 ` Christopher J. PeBenito
2010-02-23 21:34 Daniel J Walsh
2010-03-05 18:47 ` Christopher J. PeBenito
2009-11-12 20:57 Daniel J Walsh
2009-03-24 13:23 Daniel J Walsh
2009-03-02 22:27 Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.