From: paul.moore@hp.com (Paul Moore) Date: Wed, 14 Jan 2009 11:09:29 -0500 Subject: [refpolicy] [RFC] drop nodecons In-Reply-To: <1231774489.4093.20.camel@defiant.pebenito.net> References: <1231341913.27022.20.camel@gorn.columbia.tresys.com> <200901091611.22030.paul.moore@hp.com> <1231774489.4093.20.camel@defiant.pebenito.net> Message-ID: <200901141109.29540.paul.moore@hp.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Monday 12 January 2009 10:34:49 am Chris PeBenito wrote: > On Fri, 2009-01-09 at 16:11 -0500, Paul Moore wrote: > > On Friday 09 January 2009 8:33:49 am Christopher J. PeBenito wrote: > > > On Thu, 2009-01-08 at 10:45 -0500, Paul Moore wrote: > > > > On Thursday 08 January 2009 9:17:11 am Stephen Smalley wrote: > > > > > On Wed, 2009-01-07 at 17:20 -0500, Paul Moore wrote: > > > > > > The next step is to get semanage to label network nodes (or > > > > > > fix it if it is broken). > > > > > > > > > > semanage node support exists, but might not correctly handle > > > > > conflicting/overlapping definitions between the base policy > > > > > and local customizations. See prior discussion on Adding > > > > > local nodecon's through semanage on selinux list. > > > > > > > > Yep, I've still got that thread marked in my inbox as something > > > > to revisit. It will grow more important once we enable the > > > > network peer controls policy capability (Chris, > > > > thoughts/comments on the patch I posted regardint that?). > > > > > > I'm not ready to drop the protocol-specific interfaces. > > > Refpolicy still supports back to RHEL4, so the granularity of the > > > original networking controls is still important. > > > > Okay fair enough. Let me know what you think about the patch I > > submitted to enable the network_peer_controls policy capability; > > I'm really hoping that we can enable this for F11. > > As far as I can see, the only related part for that is the hunk that > uncomments the capability. Perhaps you should resend it? There was some other small fixes needed to allow unlabeled_t traffic. Resending is a good idea, we can continue the discussion then ... Thanks. -- paul moore linux @ hp