Description of problem: The SELinux policy for RHEL5 does not include support for the kernel NetLabel subsystem or the netlabel_tools/netlabelctl configuration utility. Patches have been posted to the SELinux list which provide this support. * http://marc.theaimsgroup.com/?l=selinux&m=116060249030419&w=2 * http://marc.theaimsgroup.com/?l=selinux&m=116060249020535&w=2 Version-Release number of selected component (if applicable): N/A How reproducible: N/A Steps to Reproduce: 1. N/A 2. 3. Actual results: N/A Expected results: N/A Additional info: This directly effects the LSPP efforts of RH, HP, and IBM.
this problem should be resolved prior to rc1
Netlabel policy is present in selinux-policy-2.3.19-3
A package has been built which should help the problem described in this bug report. This report is therefore being closed with a resolution of CURRENTRELEASE. You may reopen this bug report if the solution does not work for you.
I am reopening this bug report because during further testing it was found that only the user related domains have access to NetLabel traffic. Network applications like ssh, xinetd, etc. should have access to NetLabel traffic as well as the user domains.
Paul, could you tell us what's missing?
As I mentioned in comment #4 the network application domains do not presently have the NetLabel permissions in the SELinux policy. The network application domains will need to be modified to so that they have the correct NetLabel permissions, similar to what has been done for the user domains. Please see the policy sources for the user domains for an example. If this doesn't answer your question can you please be more specific? This is on my list of things to-do but I am currently occupied with other issues with a higher priority, I re-opened this BZ now for tracking purposes.
Do you have updated patches to apply?
Not at present, I am working on some and hope to post them to the SELinux list early next week.
Fixed in selinux-policy-2.4.6-24