On Fri, 2009-06-05 at 09:30 +0100, Ted Rule wrote: > I was much cheered last year to see Dan's permissive domains feature > make it into the Fedora Policy, as per his livejournal article: > > http://danwalsh.livejournal.com/24537.html > > I had rather rashly hoped that this would make it into the main RedHat > tree quite quickly as it seems so very useful for testing new applications. > > Sadly, it doesn't appear to exist in one of my CentOS5.3 instances > running these versions - at least "semanage --help" suggests that it's > not there, and I'm assuming > that CentOS5.3 is near enough in policy version to RHEL5 to show that > RHEL5 lacks the feature: > > $ rpm -q policycoreutils selinux-policy-targeted kernel > policycoreutils-1.33.12-14.2.el5 > selinux-policy-targeted-2.4.6-203.el5 > kernel-2.6.18-92.el5 > kernel-2.6.18-128.1.10.el5 > > but of course it does exist in my F10 instance running these: > > $ rpm -q policycoreutils selinux-policy-targeted kernel > policycoreutils-2.0.57-14.fc10.i386 > selinux-policy-targeted-3.5.13-38.fc10.noarch > kernel-2.6.27.9-159.fc10.i686 > > > Is there a timescale for adding this feature to RHEL5, or will it have > to wait until RHEL6? Is there some sort of workaround to run the F10 policy > on a CentOS5 box to get the feature, or does that simply involve so many > version changes to umpteen other packages as to be a fruitless exercise? I can't speak to your question about when or whether it would be backported to RHEL5, but it would require back porting the patches to the kernel, libsepol, checkpolicy, and policycoreutils (semanage). And due to the incremental nature of the binary policy format versions, they would also have to back port the policy capabilities patches. It would certainly be a nice feature to have in RHEL5. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list