On 11/15/2016 10:43 AM, Stephen Smalley wrote: > On 11/15/2016 01:34 PM, Casey Schaufler wrote: >> On 11/15/2016 10:14 AM, Stephen Smalley wrote: >>> On 11/15/2016 12:28 PM, Casey Schaufler wrote: >>>> I am looking for an SELinux configuration that uses CIPSO. >>>> Ideally, it would be based on a readily available distro, >>>> but I'm willing to perform semi-heroic acts if I have too. >>>> I'm not in a position to develop it myself, nor would that >>>> really suit my nefarious purposes. Thank you. >>> Can you clarify what you mean? There is a sample NetLabel configuration >>> in the selinux-testsuite (in tests/inet_socket/netlabel-load) that >>> configures full SELinux labeling over loopback connections, used by the >>> inet_socket tests. And the corresponding SELinux policy rules for those >>> tests can be found in policy/test_inet_socket.te within the testsuite. >> That will probably get me started. I'll have a look at the test >> documentation. I am also looking for a configuration that I can >> use for exploring a "real" CIPSO environment, where two or more >> machines are talking to each other using CIPSO. I think that I >> understand how that is supposed to work, but there's nothing like >> seeing the packets fly. Is there a case for that in the test suite? >> Thank you. > Not in the selinux-testsuite, since it doesn't presently require/expect > you to set up two different systems. Probably the lspp testsuite or > Paul Moore's blog or maybe the SELinux Notebook for samples of that kind > of configuration. Note that in that cross-machine case, CIPSO only > passes an encoding of the MLS label, not the user:role:type information. Yeah, the cross machine MLS only encoding is one of the things that I'm most interested in examining carefully. I can't help but think that that is something that could be somewhat tricky to set up, which is why I'm hoping that there's an example I can look at and play with. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
