[redhat-lspp] Re: RHEL5 Kernel with labeled networking
Stephen Smalley
sds at tycho.nsa.gov
Wed Oct 4 17:57:45 UTC 2006
On Wed, 2006-10-04 at 13:51 -0400, Eric Paris wrote:
> seipccreate is dead. it will not be implemented without a user.
> setsockcreate i believe is already there....
but not defined in policy (flask/access_vectors) so no one can use it in
policy (but the kernel will deny it unless your allow rule implicitly
grants it via a * or a set complement).
>
> -Eric
>
> On Wed, 2006-10-04 at 12:41 -0500, Klaus Weidner wrote:
> > On Wed, Oct 04, 2006 at 11:20:32AM -0400, Linda Knippers wrote:
> > > Thanks for the reminder about that thread.
> > > https://www.redhat.com/archives/redhat-lspp/2006-August/msg00008.html
> > >
> > > I didn't really see a conclusion though. Dan was waiting to hear from
> > > Steve. Steve didn't like it for the reasons I mentioned above. Were
> > > the auditallows added to the MLS policy? Did anyone create a module?
> >
> > Yes, it's part of the "lspp_policy" module included in the kickstart
> > config RPM I posted yesterday.
> >
> > This reminds me - can we assume that the setsocketcreate and
> > setipccreate attributes will remain unimplemented for RHEL5? If they get
> > added at the last minute the people who write the tests would get very
> > unhappy.
> >
> > -Klaus
> >
> > policy_module(lspp_policy,1.0)
> >
> > gen_require(`
> > attribute domain;
> > ')
> >
> > # Audit setting of security relevant process attributes
> > # These settings are OPTIONAL
> > auditallow domain self:process setcurrent;
> > auditallow domain self:process setexec;
> > auditallow domain self:process setfscreate;
> > #auditallow domain self:process setsocketcreate; # FIXME
> > #auditallow domain self:process setipccreate; # FIXME
> >
> > --
> > redhat-lspp mailing list
> > redhat-lspp at redhat.com
> > https://www.redhat.com/mailman/listinfo/redhat-lspp
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo at tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list