[refpolicy] [PATCH] refpolicy: Add missing network related MLSconstraints
Paul Moore
paul.moore at hp.com
Fri Feb 13 17:17:29 CST 2009
On Friday 13 February 2009 05:17:13 pm chanson at trustedcs.com wrote:
> You are correct, we want to keep the existing overrides, but not provide
> anymore overrides. The network interface / node checking rope should be
> very short. The few exceptions of unlabeled_t or kernel_t. kernel_t was
> necessary for nfs awhile back (may not be necessary now), probably
> iSCSI, or basically things where the kernel is generating the packet
> instead of a process and not assuming other credentials.
Well, I suppose we can take the minimalistic, aka "short rope", approach right
now since the ingress/egress controls are still new and not really integrated
into policy in the form of templates. As we continue to develop the policy
and we find a need for them we can always [re-]add them. Unless anyone chimes
in over the weekend or next Monday I'll respin a patch next week.
Just out of curiosity, are you guys using any of the new stuff or are you
still using your own special kernel with the rejected network controls? I ask
because I would be curious about any feedback you might have on the new bits
in mainline.
--
paul moore
linux @ hp
More information about the refpolicy
mailing list