[redhat-lspp] Re: RHEL5 Kernel with labeled networking
Stephen Smalley
sds at tycho.nsa.gov
Wed Oct 4 14:09:02 UTC 2006
On Tue, 2006-10-03 at 12:08 -0400, James Morris wrote:
> On Tue, 3 Oct 2006, Eric Paris wrote:
>
> > I think there is going to need to be a policy change that I'm actually
> > talking with Dan about as I type this e-mail. I think we need
> >
> > allow $1 unlabeled_t:packet { flow_in flow_out };
> >
> > to be added to policy to allow things to work as they did. I'll post
> > again as soon as we have a policy that appears to let normal networking
> > work in enforcing.
>
> We need this policy in rawhide before the kernel patches are merged
> upstream, so we can note the required policy version associated with the
> patches. We've do not want to kill Andrew Morton's box again with this
> kind of thing.
The compat_net support should avoid such breakage, and compat_net is
enabled by default in a default kernel config (just not in the Fedora
kernel config).
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list