From: paul.moore@hp.com (Paul Moore) Date: Tue, 10 Feb 2009 09:39:18 -0500 Subject: [refpolicy] [RFC] Network MLS constraints In-Reply-To: <1234274705.4921.16.camel@gorn> References: <200902061715.10030.paul.moore@hp.com> <1234274705.4921.16.camel@gorn> Message-ID: <200902100939.18974.paul.moore@hp.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tuesday 10 February 2009 09:05:03 am Christopher J. PeBenito wrote: > On Fri, 2009-02-06 at 17:15 -0500, Paul Moore wrote: > > In the course of looking into a problem with the new network > > ingress/egress controls with the MLS policy I realized we were missing > > MLS constraints for a lot of the new network controls ... Ooops. Some > > of the missing constraints are due to the new ingress/egress and peer > > controls but I realized we are also missing the secmark controls. I > > just finished putting a patch together (still need to test it) but I'm > > not 100% certain about some of these constraints (the inbound controls) > > so I wanted to send out this email to try and generate some discussion. > > These seem reasonable to me. Perhaps including the SELinux list would > be a good idea to include, in case there are some MLS people on that > list that aren't on this list? Good idea. I was able to test out a patch with yesterday with the new constraints and it behaved reasonably; I'll post the patch this week to both the refpol and selinux lists. -- paul moore linux @ hp