[redhat-lspp] [RFC 0/7] Latest NetLabel patch

[paul.moore at hp.com]

Another updated NetLabel patchset, the big changes this time include a rework
of the SELinux hooks based on some comments from Stephen and some minor
tweaking of the netlink message formats so that each "field" is now aligned,
similar to the netlink attributes.  FWIW, I looked at using the netlink
attributes themselves but it didn't seem to offer any real advantage over the
current system so I decided to just better align the current "fields".

As far as the kernel patch goes there are really only two things left on my
ToDo list:

 * Unlabeled packet check (right now we fall through to the xfrm check)
 * Protection against setsockopt()

Both of these seem to be dependent on the outcome of RH BZ #195238 as these
both would require policy additions so we need a way to en/disable these new
features.  The second item, greater setsockopt() granularity, could be
considered optional and done at a later date.  The first item is a bit more
important but if pressed I imagine we could defer that as well; it is just a
little strange without it.

Due to the change in the netlink message format you will need to grab a new
copy of netlabel_tools, version 0.15.  The tarball can be found here:

 * http://free.linux.hp.com/~pmoore/projects/linux_cipso

--
paul moore
linux security @ hp