[redhat-lspp] Re: RHEL5 Kernel with labeled networking
Linda Knippers
linda.knippers at hp.com
Tue Oct 3 15:51:09 UTC 2006
Stephen Smalley wrote:
> On Tue, 2006-10-03 at 11:34 -0400, Linda Knippers wrote:
>
>>Eric,
>>
>>I've booted your kernel on the following systems:
>>
>>ia64 box running rhel5 beta 1 targeted policy
>>x86 box running fc6t2 mls policy
>>
>>I don't have any labeled networking specifically configured.
>>
>>Networking only works in permissive mode. If I put either system
>>in enforcing mode, I can't ping, bring up X, or do anything.
>>
>>Are there some policy changes that are needed? Seems like by default
>>everything should work like it did before?
>
>
> Only if you set /selinux/compat_net to 1.
> Otherwise, you need modified policy to define and allow flow_in/flow_out
> permissions as required, and I suspect you need more in order to deal
> with the fact that we now get labeled traffic on loopback by default
> (thus affecting packet send/recv as well). Venkat, do you have a policy
> patch?
>
Ok, with /selinux/compat_net set to 1, I can go into enforcing mode
on my rhel5 beta 1 targeted system. Its got selinux-policy-2.3.3-22.
The first time I tried the same thing on my fc6/mls system it killed
all my network sessions. The second time I tried it my established
sessions stayed up but the mouse quit working. This system has
selinux-policy-mls-2.3.16-6.
-- ljk
More information about the redhat-lspp
mailing list