Bug 210426

Summary: lspp: NetLabel SELinux policy is missing from RHEL5
Product: Red Hat Enterprise Linux 5 Reporter: Paul Moore <paul.moore>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 5.0CC: iboverma, linda.knippers
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RC Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-02-08 00:16:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Paul Moore 2006-10-11 23:28:34 UTC 
Description of problem:
The SELinux policy for RHEL5 does not include support for the kernel NetLabel
subsystem or the netlabel_tools/netlabelctl configuration utility.  Patches have
been posted to the SELinux list which provide this support.

 * http://marc.theaimsgroup.com/?l=selinux&m=116060249030419&w=2
 * http://marc.theaimsgroup.com/?l=selinux&m=116060249020535&w=2

Version-Release number of selected component (if applicable):
N/A

How reproducible:
N/A

Steps to Reproduce:
1. N/A
2.
3.
  
Actual results:
N/A

Expected results:
N/A

Additional info:
This directly effects the LSPP efforts of RH, HP, and IBM.
Comment 1 Irina Boverman 2006-10-12 20:44:31 UTC 
this problem should be resolved prior to rc1
Comment 2 Daniel Walsh 2006-10-18 21:03:22 UTC 
Netlabel policy is present in selinux-policy-2.3.19-3
Comment 3 RHEL Program Management 2006-12-23 01:16:32 UTC 
A package has been built which should help the problem described in 
this bug report. This report is therefore being closed with a resolution 
of CURRENTRELEASE. You may reopen this bug report if the solution does 
not work for you.
Comment 4 Paul Moore 2007-01-04 22:40:32 UTC 
I am reopening this bug report because during further testing it was found 
that only the user related domains have access to NetLabel traffic.  Network 
applications like ssh, xinetd, etc. should have access to NetLabel traffic as 
well as the user domains.
Comment 5 Steve Grubb 2007-01-05 18:48:33 UTC 
Paul, could you tell us what's missing?
Comment 6 Paul Moore 2007-01-05 18:59:59 UTC 
As I mentioned in comment #4 the network application domains do not presently 
have the NetLabel permissions in the SELinux policy.  The network application 
domains will need to be modified to so that they have the correct NetLabel 
permissions, similar to what has been done for the user domains.  Please see 
the policy sources for the user domains for an example.

If this doesn't answer your question can you please be more specific?

This is on my list of things to-do but I am currently occupied with other 
issues with a higher priority, I re-opened this BZ now for tracking purposes.
Comment 7 Daniel Walsh 2007-01-05 21:21:41 UTC 
Do you have updated patches to apply?
Comment 8 Paul Moore 2007-01-05 21:57:02 UTC 
Not at present, I am working on some and hope to post them to the SELinux list 
early next week.
Comment 9 Daniel Walsh 2007-01-08 20:34:43 UTC 
Fixed in selinux-policy-2.4.6-24
Comment 10 RHEL Program Management 2007-02-08 00:16:51 UTC 
A package has been built which should help the problem described in 
this bug report. This report is therefore being closed with a resolution 
of CURRENTRELEASE. You may reopen this bug report if the solution does 
not work for you.