From: paul.moore@hp.com (Paul Moore) Date: Fri, 13 Feb 2009 18:17:29 -0500 Subject: [refpolicy] [PATCH] refpolicy: Add missing network related MLSconstraints In-Reply-To: <170D6ABBBA770349AA49582A86FCED15BA0238@HAVOC.tcs-sec.com> References: <20090212211531.619341973@hp.com> <200902131702.10467.paul.moore@hp.com> <170D6ABBBA770349AA49582A86FCED15BA0238@HAVOC.tcs-sec.com> Message-ID: <200902131817.29764.paul.moore@hp.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Friday 13 February 2009 05:17:13 pm chanson at trustedcs.com wrote: > You are correct, we want to keep the existing overrides, but not provide > anymore overrides. The network interface / node checking rope should be > very short. The few exceptions of unlabeled_t or kernel_t. kernel_t was > necessary for nfs awhile back (may not be necessary now), probably > iSCSI, or basically things where the kernel is generating the packet > instead of a process and not assuming other credentials. Well, I suppose we can take the minimalistic, aka "short rope", approach right now since the ingress/egress controls are still new and not really integrated into policy in the form of templates. As we continue to develop the policy and we find a need for them we can always [re-]add them. Unless anyone chimes in over the weekend or next Monday I'll respin a patch next week. Just out of curiosity, are you guys using any of the new stuff or are you still using your own special kernel with the rejected network controls? I ask because I would be curious about any feedback you might have on the new bits in mainline. -- paul moore linux @ hp