Bug 210426 - lspp: NetLabel SELinux policy is missing from RHEL5
lspp: NetLabel SELinux policy is missing from RHEL5
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-10-11 19:28 EDT by Paul Moore
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version: RC
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-02-07 19:16:51 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Paul Moore 2006-10-11 19:28:34 EDT
Description of problem:
The SELinux policy for RHEL5 does not include support for the kernel NetLabel
subsystem or the netlabel_tools/netlabelctl configuration utility.  Patches have
been posted to the SELinux list which provide this support.

 * http://marc.theaimsgroup.com/?l=selinux&m=116060249030419&w=2
 * http://marc.theaimsgroup.com/?l=selinux&m=116060249020535&w=2

Version-Release number of selected component (if applicable):
N/A

How reproducible:
N/A

Steps to Reproduce:
1. N/A
2.
3.
  
Actual results:
N/A

Expected results:
N/A

Additional info:
This directly effects the LSPP efforts of RH, HP, and IBM.
Comment 1 Irina Boverman 2006-10-12 16:44:31 EDT
this problem should be resolved prior to rc1
Comment 2 Daniel Walsh 2006-10-18 17:03:22 EDT
Netlabel policy is present in selinux-policy-2.3.19-3
Comment 3 RHEL Product and Program Management 2006-12-22 20:16:32 EST
A package has been built which should help the problem described in 
this bug report. This report is therefore being closed with a resolution 
of CURRENTRELEASE. You may reopen this bug report if the solution does 
not work for you.
Comment 4 Paul Moore 2007-01-04 17:40:32 EST
I am reopening this bug report because during further testing it was found 
that only the user related domains have access to NetLabel traffic.  Network 
applications like ssh, xinetd, etc. should have access to NetLabel traffic as 
well as the user domains.
Comment 5 Steve Grubb 2007-01-05 13:48:33 EST
Paul, could you tell us what's missing?
Comment 6 Paul Moore 2007-01-05 13:59:59 EST
As I mentioned in comment #4 the network application domains do not presently 
have the NetLabel permissions in the SELinux policy.  The network application 
domains will need to be modified to so that they have the correct NetLabel 
permissions, similar to what has been done for the user domains.  Please see 
the policy sources for the user domains for an example.

If this doesn't answer your question can you please be more specific?

This is on my list of things to-do but I am currently occupied with other 
issues with a higher priority, I re-opened this BZ now for tracking purposes.
Comment 7 Daniel Walsh 2007-01-05 16:21:41 EST
Do you have updated patches to apply?
Comment 8 Paul Moore 2007-01-05 16:57:02 EST
Not at present, I am working on some and hope to post them to the SELinux list 
early next week.
Comment 9 Daniel Walsh 2007-01-08 15:34:43 EST
Fixed in selinux-policy-2.4.6-24
Comment 10 RHEL Product and Program Management 2007-02-07 19:16:51 EST
A package has been built which should help the problem described in 
this bug report. This report is therefore being closed with a resolution 
of CURRENTRELEASE. You may reopen this bug report if the solution does 
not work for you.

Note You need to log in before you can comment on or make changes to this bug.