From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 04 Jun 2010 11:43:30 -0400
Subject: [refpolicy] kernel_corenetwork.te.in.patch
In-Reply-To: <4C09135D.5070908@redhat.com>
References: <4C06BC99.5070505@redhat.com>
	<1275659561.809.52.camel@gorn.columbia.tresys.com>
	<4C09135D.5070908@redhat.com>
Message-ID: <1275666210.809.56.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Fri, 2010-06-04 at 10:53 -0400, Daniel J Walsh wrote:
> On 06/04/2010 09:52 AM, Christopher J. PeBenito wrote:
> > On Wed, 2010-06-02 at 16:18 -0400, Daniel J Walsh wrote:
> >> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_corenetwork.te.in.patch
> >>
> >> tun_tap_device is an mls trusted object
> >
> > Why?  This seems wrong to me.

> I think virtual machines at different levels need to talk to this device.

But there are several of these devices.  Making it trusted means that
theres no separation between the networks, which seems contrary to what
a MLS system would want.  More likely, the MLS label needs to be changed
as needed.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com