[refpolicy] kernel_corenetwork.te.in.patch
Christopher J. PeBenito
cpebenito at tresys.com
Fri Jun 4 10:43:30 CDT 2010
On Fri, 2010-06-04 at 10:53 -0400, Daniel J Walsh wrote:
> On 06/04/2010 09:52 AM, Christopher J. PeBenito wrote:
> > On Wed, 2010-06-02 at 16:18 -0400, Daniel J Walsh wrote:
> >> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_corenetwork.te.in.patch
> >>
> >> tun_tap_device is an mls trusted object
> >
> > Why? This seems wrong to me.
> I think virtual machines at different levels need to talk to this device.
But there are several of these devices. Making it trusted means that
theres no separation between the networks, which seems contrary to what
a MLS system would want. More likely, the MLS label needs to be changed
as needed.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
More information about the refpolicy
mailing list