[refpolicy] [PATCH/RFC 2/2] Add minidlna policy

Dominick Grift dominick.grift at gmail.com
Fri May 3 08:19:35 EDT 2013


On Fri, 2013-05-03 at 14:02 +0200, Sven Vermeulen wrote:
> On May 3, 2013 9:08 AM, "Dominick Grift" <dominick.grift at gmail.com> wrote:
> > Looks like compat_net support may have been completely removed:
> >
> > http://lists.openwall.net/netdev/2009/03/27/144
> 
> Now i'm completely lost. Does that mean that the "old", non-labeled
> approach is not used anymore? I could've sworn that node_t and netif_t were
> still used.
> 

nodes and network interfaces can be labeled with semanage i believe.

but by default i think most domains can use only default network
interface and node types (so node_t and netif_t, not all types
classified node_type or netif_type)

# semanage interface -l
# semanage node -l

Seems no network interfaces or nodes are labeled by default

> > i think we need more and better, practical examples of how to use
> > secmark and how secmark can be configured to match the old compat_net
> > functionality
> >
> > There is one nice how to by Dan Walsh on Linux.com, but other than that
> > documentation is lacking in my view
> 
> Ack. And also how the default behavior is if no secmark/labeling is used...

what you see (avc denials) is what you get by default.



More information about the refpolicy mailing list