[redhat-lspp] lspp 39 kernel released
Venkat Yekkirala
vyekkirala at TrustedCS.com
Tue Jun 27 14:03:18 UTC 2006
Joy was going to post a detailed howto. For the new/modified controls
this patch introduces, the following would be what the policy would
boild down to for a given domain.
---------------------------------------------
Let's take an example.
Given that you have the following in the IPSec policy:
Policy rule for ftpd defined with the context: ftpd_xfrm_t
Security Association defined with the context: ftpd_sa_t (optionally can be
negotiated via IKE, in which case it would use ftpd_xfrm_t as the type for
the negotiated SA).
This is how SELinux policy would look like:
For output:
allow ftpd_t ftpd_xfrm_t:association { polmatch };
allow ftpd_t ftpd_sa_t:association { sendto };
allow ftpd_sa_t ftpd_xfrm_t:association { polmatch };
For input:
allow ftpd_sa_t ftpd_xfrm_t:association { polmatch }; (ALREADY ALLOWED PER
OUTPUT POLICY)
allow ftpd_t ftpd_sa_t:association { recvfrom };
If you are wondering about the asymmetry in the number of access checks, it
is because in the output case there's the extra step of selecting SAs given
an IPSec policy rule and a flow/socket, whereas in the input case the SAs
are already tied to the flow. This assymetry is thus inherent.
--------------------------------------------
> -----Original Message-----
> From: Steve Grubb [mailto:sgrubb at redhat.com]
> Sent: Monday, June 26, 2006 7:12 PM
> To: lspp-list
> Subject: [redhat-lspp] lspp 39 kernel released
>
>
> Hi,
>
> The lspp.39 kernel has been published to the lspp yum repo at:
> http://people.redhat.com/sgrubb/files/lspp
>
> The changes are:
>
> - Added IPSec xfrm patch from Venkat.
>
> Please let me know if there any problems with this kernel.
>
> -Steve
>
> --
> redhat-lspp mailing list
> redhat-lspp at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-lspp
>
More information about the redhat-lspp
mailing list