From: paul.moore@hp.com (Paul Moore) Date: Fri, 9 Jan 2009 16:11:21 -0500 Subject: [refpolicy] [RFC] drop nodecons In-Reply-To: <1231508032.20122.3.camel@gorn> References: <1231341913.27022.20.camel@gorn.columbia.tresys.com> <200901081045.17478.paul.moore@hp.com> <1231508032.20122.3.camel@gorn> Message-ID: <200901091611.22030.paul.moore@hp.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Friday 09 January 2009 8:33:49 am Christopher J. PeBenito wrote: > On Thu, 2009-01-08 at 10:45 -0500, Paul Moore wrote: > > On Thursday 08 January 2009 9:17:11 am Stephen Smalley wrote: > > > On Wed, 2009-01-07 at 17:20 -0500, Paul Moore wrote: > > > > The next step is to get semanage to label network nodes (or fix > > > > it if it is broken). > > > > > > semanage node support exists, but might not correctly handle > > > conflicting/overlapping definitions between the base policy and > > > local customizations. See prior discussion on Adding local > > > nodecon's through semanage on selinux list. > > > > Yep, I've still got that thread marked in my inbox as something to > > revisit. It will grow more important once we enable the network > > peer controls policy capability (Chris, thoughts/comments on the > > patch I posted regardint that?). > > I'm not ready to drop the protocol-specific interfaces. Refpolicy > still supports back to RHEL4, so the granularity of the original > networking controls is still important. Okay fair enough. Let me know what you think about the patch I submitted to enable the network_peer_controls policy capability; I'm really hoping that we can enable this for F11. -- paul moore linux @ hp