Bug 210426 - lspp: NetLabel SELinux policy is missing from RHEL5
Summary: lspp: NetLabel SELinux policy is missing from RHEL5
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-10-11 23:28 UTC by Paul Moore
Modified: 2007-11-30 22:07 UTC (History)
2 users (show)

Fixed In Version: RC
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-02-08 00:16:51 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Paul Moore 2006-10-11 23:28:34 UTC
Description of problem:
The SELinux policy for RHEL5 does not include support for the kernel NetLabel
subsystem or the netlabel_tools/netlabelctl configuration utility.  Patches have
been posted to the SELinux list which provide this support.

 * http://marc.theaimsgroup.com/?l=selinux&m=116060249030419&w=2
 * http://marc.theaimsgroup.com/?l=selinux&m=116060249020535&w=2

Version-Release number of selected component (if applicable):
N/A

How reproducible:
N/A

Steps to Reproduce:
1. N/A
2.
3.
  
Actual results:
N/A

Expected results:
N/A

Additional info:
This directly effects the LSPP efforts of RH, HP, and IBM.

Comment 1 Irina Boverman 2006-10-12 20:44:31 UTC
this problem should be resolved prior to rc1

Comment 2 Daniel Walsh 2006-10-18 21:03:22 UTC
Netlabel policy is present in selinux-policy-2.3.19-3

Comment 3 RHEL Program Management 2006-12-23 01:16:32 UTC
A package has been built which should help the problem described in 
this bug report. This report is therefore being closed with a resolution 
of CURRENTRELEASE. You may reopen this bug report if the solution does 
not work for you.


Comment 4 Paul Moore 2007-01-04 22:40:32 UTC
I am reopening this bug report because during further testing it was found 
that only the user related domains have access to NetLabel traffic.  Network 
applications like ssh, xinetd, etc. should have access to NetLabel traffic as 
well as the user domains.

Comment 5 Steve Grubb 2007-01-05 18:48:33 UTC
Paul, could you tell us what's missing?

Comment 6 Paul Moore 2007-01-05 18:59:59 UTC
As I mentioned in comment #4 the network application domains do not presently 
have the NetLabel permissions in the SELinux policy.  The network application 
domains will need to be modified to so that they have the correct NetLabel 
permissions, similar to what has been done for the user domains.  Please see 
the policy sources for the user domains for an example.

If this doesn't answer your question can you please be more specific?

This is on my list of things to-do but I am currently occupied with other 
issues with a higher priority, I re-opened this BZ now for tracking purposes.

Comment 7 Daniel Walsh 2007-01-05 21:21:41 UTC
Do you have updated patches to apply?

Comment 8 Paul Moore 2007-01-05 21:57:02 UTC
Not at present, I am working on some and hope to post them to the SELinux list 
early next week.

Comment 9 Daniel Walsh 2007-01-08 20:34:43 UTC
Fixed in selinux-policy-2.4.6-24

Comment 10 RHEL Program Management 2007-02-08 00:16:51 UTC
A package has been built which should help the problem described in 
this bug report. This report is therefore being closed with a resolution 
of CURRENTRELEASE. You may reopen this bug report if the solution does 
not work for you.



Note You need to log in before you can comment on or make changes to this bug.