From: paul.moore@hp.com (Paul Moore)
Date: Tue, 10 Feb 2009 09:39:18 -0500
Subject: [refpolicy] [RFC] Network MLS constraints
In-Reply-To: <1234274705.4921.16.camel@gorn>
References: <200902061715.10030.paul.moore@hp.com>
	<1234274705.4921.16.camel@gorn>
Message-ID: <200902100939.18974.paul.moore@hp.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tuesday 10 February 2009 09:05:03 am Christopher J. PeBenito wrote:
> On Fri, 2009-02-06 at 17:15 -0500, Paul Moore wrote:
> > In the course of looking into a problem with the new network
> > ingress/egress controls with the MLS policy I realized we were missing
> > MLS constraints for a lot of the new network controls ... Ooops.  Some
> > of the missing constraints are due to the new ingress/egress and peer
> > controls but I realized we are also missing the secmark controls.  I
> > just finished putting a patch together (still need to test it) but I'm
> > not 100% certain about some of these constraints (the inbound controls)
> > so I wanted to send out this email to try and generate some discussion.
>
> These seem reasonable to me.  Perhaps including the SELinux list would
> be a good idea to include, in case there are some MLS people on that
> list that aren't on this list?

Good idea.  I was able to test out a patch with yesterday with the new 
constraints and it behaved reasonably; I'll post the patch this week to both 
the refpol and selinux lists.

-- 
paul moore
linux @ hp