> CIPSO > ------ > MA: Paul is still on vacation. > GW: That was mostly a question for Irena, is it going to make it in > beta? IR: It is in rawhide and marked as a beta blocker; means it needs to > go through reviews and either accepted or rejected. if accepted it'll be > part of beta 1, if rejected then it'll be part of beta 2. The decision will > be made tomorrow or Thursday > GW: how will secmark be supported? Stephen Smalley posted something > about having some problems with it. what's RH position on secmark when > using evaluated configurations. Is it going to be a must have, or will we > be working around it. This is with respect to node and net-if, mostly a > net-if issue. whether we really need these controls in the evaluated > configuration. This maybe a mailing list question, not sure if anyone here > knows the answer. > IB: I don't have an answer, so I would sat put on the list > SH: are those even needed. we already have controls > GW: Right, and that's why I am not convinced we need it. this is more > like a firewall type control > JN: I don't know if there is a way to specify anything, you are either > all CIPSO or not. Sometimes that was a problem for us > GW: right, so you use firewall to control that. > JN: no, with if-sec some hosts are multilevel, some single level, with > CIPSO, it's all or nothing. It might have been addressed in later > version but I'm not sure. > GW: so you don't have the granularity you need > JN: right
The NetLabel code has the ability to specify CIPSO configuration on a per-domain basis, not a per-host basis. This is due to a limitation in the existing LSM hooks and is not likely to change unless the LSM hooks change. For those of you using the latest versions of the netlabel_tools you can specify specific per-domain CIPSO configurations with the following command line (for older versions replace "map" with "mgmt"): # netlabelctl map add domain:<domain> protocol:cipsov4,<doi> An example for the "unlabeled_t" domain using CIPSO doi #8 would be: # netlabelctl map add domain:unlabeled_t protocol:cipsov4,8 When a socket is created it's type is checked against the configured NetLabel per-domain rules and if a match is found it is used, if there are no matches the default NetLabel rule is used. The default NetLabel rule is configured with the following command line: # netlabelctl map add default protocol:cipsov4,<doi> -- paul moore linux security @ hp -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
