-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/22/2011 05:32 PM, chanson@xxxxxxxxxxxxx wrote:
>
>>
>> mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
>> (( h1 dom h2 ) or ( t1 == mcsnetwrite ));
>>
>>
>> For some reason we do not do this in MLS policy. Does anyone
>> know why we don't do this for MLS?
>>
>
> I believe it is because we didn't make ports in MLS labeled objects. On
> other trusted network implementations, there was the idea of
> polyinstantiated ports so every label could always have one. We didn't
> do that on Linux, we just allow the port access to be first come, first
> serve and let TE instead of MLS define what application should be using
> the port. There could be connections coming into to the port at multiple
> levels if application is a trusted service and has the ability to talk
> to each of the clients.
>
> -Chad
>
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
> the words "unsubscribe selinux" without quotes as the message.
>
>
Well it does not seem to work on MCS node_bind anyways, now I need to
look into some of Paul Moore stuff to see if I can get separation.
I want to setup rules that says a_t:MCS1 can bind to a host port
(127.0.0.2) only if the host is labeled MCS1 And block it if it is
labeled MCS2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1kO+YACgkQrlYvE4MpobMwVgCg1yckFdpM1s6jAV/2QolxuyoY
1WkAnRhm5O0km4p116ymRalke5pCCCdm
=sBT0
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
