[refpolicy] kernel_corenetwork.te.in.patch
Daniel J Walsh
dwalsh at redhat.com
Fri Jun 4 15:32:25 CDT 2010
On 06/04/2010 11:43 AM, Christopher J. PeBenito wrote:
> On Fri, 2010-06-04 at 10:53 -0400, Daniel J Walsh wrote:
>> On 06/04/2010 09:52 AM, Christopher J. PeBenito wrote:
>>> On Wed, 2010-06-02 at 16:18 -0400, Daniel J Walsh wrote:
>>>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_corenetwork.te.in.patch
>>>>
>>>> tun_tap_device is an mls trusted object
>>>
>>> Why? This seems wrong to me.
>
>> I think virtual machines at different levels need to talk to this device.
>
> But there are several of these devices. Making it trusted means that
> theres no separation between the networks, which seems contrary to what
> a MLS system would want. More likely, the MLS label needs to be changed
> as needed.
>
I think the kernel will take care of the isolation.
Eric Dan, Is tuntap device per qemu instance?
More information about the refpolicy
mailing list