[redhat-lspp] Re: RHEL5 Kernel with labeled networking
Linda Knippers
linda.knippers at hp.com
Tue Oct 3 16:12:24 UTC 2006
Linda Knippers wrote:
> Stephen Smalley wrote:
>
>>On Tue, 2006-10-03 at 11:34 -0400, Linda Knippers wrote:
>>
>>
>>>Eric,
>>>
>>>I've booted your kernel on the following systems:
>>>
>>>ia64 box running rhel5 beta 1 targeted policy
>>>x86 box running fc6t2 mls policy
>>>
>>>I don't have any labeled networking specifically configured.
>>>
>>>Networking only works in permissive mode. If I put either system
>>>in enforcing mode, I can't ping, bring up X, or do anything.
>>>
>>>Are there some policy changes that are needed? Seems like by default
>>>everything should work like it did before?
>>
>>
>>Only if you set /selinux/compat_net to 1.
>>Otherwise, you need modified policy to define and allow flow_in/flow_out
>>permissions as required, and I suspect you need more in order to deal
>>with the fact that we now get labeled traffic on loopback by default
>>(thus affecting packet send/recv as well). Venkat, do you have a policy
>>patch?
>>
>
>
> Ok, with /selinux/compat_net set to 1, I can go into enforcing mode
> on my rhel5 beta 1 targeted system. Its got selinux-policy-2.3.3-22.
>
> The first time I tried the same thing on my fc6/mls system it killed
> all my network sessions. The second time I tried it my established
> sessions stayed up but the mouse quit working. This system has
> selinux-policy-mls-2.3.16-6.
The mouse problem has nothing to do with this kernel. It stops
working in mls enforcing mode with older kernels as well. I haven't
been running X on my mls system so I never noticed before.
-- ljk
More information about the redhat-lspp
mailing list