On Sunday 09 November 2008 1:26:58 pm Joe Nall wrote: > On Nov 3, 2008, at 2:34 PM, Daniel J Walsh wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Paul Moore wrote: > >> On Monday 03 November 2008 8:51:49 am Stephen Smalley wrote: > >>> On Mon, 2008-11-03 at 14:47 +0100, Andy Warner wrote: > >>>> Stephen Smalley wrote: > >>>>> On Mon, 2008-11-03 at 12:49 +0100, Andy Warner wrote: > >>>>>> I am running Fedora 9 with the MLS policy and see no evidence > >>>>>> that the label translation is enabled. I am using the default > >>>>>> setrans.conf and the "disable=1" flag is commented out. > >>>>>> > >>>>>> Using the selinux_trans_to_raw (e.g., with a SystemHigh level) > >>>>>> produces the exact same label string as passed in which will > >>>>>> not pass validation (using s15:c0.c1023 will pass validation). > >>>>>> > >>>>>> Trying id-Z followed by newrole produces: > >>>>>> id -Z > >>>>>> warner_u:secadm_r:secadm_t:s0-s15:c0.c1023 > >>>>>> > >>>>>> newrole -l SystemLow-SystemHigh > >>>>>> warner_u:secadm_r:secadm_t:SystemLow-SystemHigh is not a valid > >>>>>> context > >>>>>> > >>>>>> Is there something that must be done to activate label > >>>>>> translation? > >>>>> > >>>>> Label translation is provided by a daemon, mcstrans. > >>>>> > >>>>> yum install mcstrans > >>>>> /sbin/chkconfig mcstrans on > >>>>> /sbin/service mcstrans start > >>>> > >>>> Thanks. I was not starting the mcstrans service. When I get a > >>>> translation, it seems odd as follows. > >>>> > >>>> without mcstrans: > >>>> id -Z > >>>> warner_u:secadm_r:secadm_t:s0-s15:c0.c1023 > >>>> > >>>> with mcstrans: > >>>> id -Z > >>>> warner_u:secadm_r:secadm_t:SystemLow:SystemLow-SystemHigh > >>>> > >>>> Is it expected to have the high end of the range expressed as a > >>>> range? The translation table has the following relevant entries: > >>>> s0 SystemLow > >>>> s0-s15:c0.c1023 SystemLow-SystemHigh > >>> > >>> No, that looks wrong to me as well. cc'ing Dan Walsh of Red Hat, > >>> who > >>> maintains mcstrans. > >>> > >>> BTW, if you are looking for more complete MLS label translation > >>> support, you might try the extended mcstrans posted by Joe Nall. > >> > >> What is the status of the patch? I vaguely remember a little bit > >> of discussion/review about the patch but it's not clear to me if > >> it was ever accepted into upstream/Fedora and if it wasn't what > >> the next steps > >> were going to be ... > > > > Good question, we have let this slip through the cracks. I would > > like to replace my library totally with Joe's. The only concern > > would be to > > allow people who used my format to convert to the new format if > > possible > > or at least document how to do this. > > Sorry about the big delay in closure on this. We have been very busy > trying to build a demonstrable Fedora based MLS/X system to run our > applications on. The demo was last week in London and we have some > time to upstream our changes this month. That includes adding > combination constraints, label-to-color mapping and migration tools > to mcstransd and pushing it into a public repo for community > consideration. Cool. Do the current X/metacity patches support label coloring? -- paul moore linux @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
