From: dominick.grift@gmail.com (Dominick Grift) Date: Fri, 03 May 2013 14:19:35 +0200 Subject: [refpolicy] [PATCH/RFC 2/2] Add minidlna policy In-Reply-To: References: <20130501183657.GA25116@siphos.be> <20130501183845.GC25116@siphos.be> <1367509285.27309.34.camel@d30> <20130502192347.GA25444@siphos.be> <1367524372.27309.45.camel@d30> <1367564909.27309.49.camel@d30> Message-ID: <1367583575.27309.55.camel@d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, 2013-05-03 at 14:02 +0200, Sven Vermeulen wrote: > On May 3, 2013 9:08 AM, "Dominick Grift" wrote: > > Looks like compat_net support may have been completely removed: > > > > http://lists.openwall.net/netdev/2009/03/27/144 > > Now i'm completely lost. Does that mean that the "old", non-labeled > approach is not used anymore? I could've sworn that node_t and netif_t were > still used. > nodes and network interfaces can be labeled with semanage i believe. but by default i think most domains can use only default network interface and node types (so node_t and netif_t, not all types classified node_type or netif_type) # semanage interface -l # semanage node -l Seems no network interfaces or nodes are labeled by default > > i think we need more and better, practical examples of how to use > > secmark and how secmark can be configured to match the old compat_net > > functionality > > > > There is one nice how to by Dan Walsh on Linux.com, but other than that > > documentation is lacking in my view > > Ack. And also how the default behavior is if no secmark/labeling is used... what you see (avc denials) is what you get by default.