From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 09 Jan 2009 08:33:49 -0500
Subject: [refpolicy] [RFC] drop nodecons
In-Reply-To: <200901081045.17478.paul.moore@hp.com>
References: <1231341913.27022.20.camel@gorn.columbia.tresys.com>
	<200901071720.02842.paul.moore@hp.com>
	<1231424231.14773.17.camel@localhost.localdomain>
	<200901081045.17478.paul.moore@hp.com>
Message-ID: <1231508032.20122.3.camel@gorn>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Thu, 2009-01-08 at 10:45 -0500, Paul Moore wrote:
> On Thursday 08 January 2009 9:17:11 am Stephen Smalley wrote:
> > On Wed, 2009-01-07 at 17:20 -0500, Paul Moore wrote:
> > > The next step is to get semanage to label network nodes (or fix it
> > > if it is broken).
> >
> > semanage node support exists, but might not correctly handle
> > conflicting/overlapping definitions between the base policy and local
> > customizations.  See prior discussion on Adding local nodecon's
> > through semanage on selinux list.
> 
> Yep, I've still got that thread marked in my inbox as something to 
> revisit.  It will grow more important once we enable the network peer 
> controls policy capability (Chris, thoughts/comments on the patch I 
> posted regardint that?).

I'm not ready to drop the protocol-specific interfaces.  Refpolicy still
supports back to RHEL4, so the granularity of the original networking
controls is still important.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150