From: paul.moore@hp.com (Paul Moore)
Date: Mon, 2 Feb 2009 17:16:25 -0500
Subject: [refpolicy] network: Enable "network_peer_controls" and fix
	some remaining issues
In-Reply-To: <1233326781.6143.9.camel@defiant.pebenito.net>
References: <20090116220832.737175171@hp.com>
	<1233326781.6143.9.camel@defiant.pebenito.net>
Message-ID: <200902021716.25751.paul.moore@hp.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Friday 30 January 2009 9:46:21 am you wrote:
> On Fri, 2009-01-16 at 17:08 -0500, Paul Moore wrote:
> > plain text document attachment (network-in_out_basic)
> > We added the network_peer_controls capability back in Linux Kernel
> > 2.6.25 but didn't activate the capability because more work was
> > needed to ensure a smooth transition to the new controls.  This
> > patch enables the network_peer_controls capability and fixes a few
> > remaining issues with its use.  With this patch applied to the
> > Fedora Rawhide SELinux policy (selinux-policy-3.6.1-4.fc11) I am
> > able to interact with the machine over the network without any new
> > AVC denials.
>
> Does it work without the legacy support rules?  I'm thinking that for
> now we don't want the legacy support in these interfaces, since we're
> still not ready to dump all the compat_net support.  Then its clear
> that its not supposed to be used for compat_net rules.

I'm testing it right now (it should work without the legacy bits).  Once 
I've verified the changes I'll repost.

-- 
paul moore
linux @ hp