Red Hat Bugzilla – Bug 210426
lspp: NetLabel SELinux policy is missing from RHEL5
Last modified: 2007-11-30 17:07:35 EST
Description of problem:
The SELinux policy for RHEL5 does not include support for the kernel NetLabel
subsystem or the netlabel_tools/netlabelctl configuration utility. Patches have
been posted to the SELinux list which provide this support.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
This directly effects the LSPP efforts of RH, HP, and IBM.
this problem should be resolved prior to rc1
Netlabel policy is present in selinux-policy-2.3.19-3
A package has been built which should help the problem described in
this bug report. This report is therefore being closed with a resolution
of CURRENTRELEASE. You may reopen this bug report if the solution does
not work for you.
I am reopening this bug report because during further testing it was found
that only the user related domains have access to NetLabel traffic. Network
applications like ssh, xinetd, etc. should have access to NetLabel traffic as
well as the user domains.
Paul, could you tell us what's missing?
As I mentioned in comment #4 the network application domains do not presently
have the NetLabel permissions in the SELinux policy. The network application
domains will need to be modified to so that they have the correct NetLabel
permissions, similar to what has been done for the user domains. Please see
the policy sources for the user domains for an example.
If this doesn't answer your question can you please be more specific?
This is on my list of things to-do but I am currently occupied with other
issues with a higher priority, I re-opened this BZ now for tracking purposes.
Do you have updated patches to apply?
Not at present, I am working on some and hope to post them to the SELinux list
early next week.
Fixed in selinux-policy-2.4.6-24