[redhat-lspp] labeled ipsec policy
Joy Latten
latten at austin.ibm.com
Mon Nov 20 15:09:42 UTC 2006
On Mon, 2006-11-20 at 10:00 -0500, Paul Moore wrote:
> On Friday 17 November 2006 5:30 pm, Joy Latten wrote:
> > The following policy enables labeled ipsec to run
> > in enforcing mode. I configure labeled ipsec in sysadm_r role.
> > Thus the rules I needed were specific to this role.
>
> I'll let the policy gurus comment on the rest of the policy, but I think that
> we would want only the secadm_r role (in the MLS/LSPP policy) to be able to
> configure labeled IPsec. Yes?
>
Actually, I wondered about this too. But when I took a look at the
policy source, I noticed that in userdomain.te, sysadm_t was allowed
to execute ipsec programs ipsec_exec_mgmt(sysadm_t), so I just assumed I
should use sysadm_r role. Not sure if this was correct or not. Tried
secadm_r role out of curiousity and got quite a lot of avc denied
messages. So went with sysadm_r. :-)
If secadm_r should be used, please let me know as I would need to get
labeled ipsec working with policy in enforcing mode.
Joy
More information about the redhat-lspp
mailing list