On Tue, Nov 22, 2016 at 12:32 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > On 11/22/2016 11:44 AM, Richard Haines wrote: >> On Tue, 2016-11-15 at 09:28 -0800, Casey Schaufler wrote: >>> I am looking for an SELinux configuration that uses CIPSO. >>> Ideally, it would be based on a readily available distro, >>> but I'm willing to perform semi-heroic acts if I have too. >>> I'm not in a position to develop it myself, nor would that >>> really suit my nefarious purposes. Thank you. >>> >> I put this together out of idle curiosity using the targeted policy as >> no policy updates are required only netlabelctl commands. If you need >> something else like policy config let me know and I'll see what I can >> do. > > Hmm...wondering how hard it would be to add this to the > selinux-testsuite, possibly run via a new Makefile target separate from > the rest of the tests since it requires setting up two machines. Thanks for putting that together Richard. I'm all for inclusion into the selinux-testsuite so long as the default remains single host. However, for the record there is almost *zero* difference between loopback and remote CIPSO communication so long as the standard tags are used; if you use the "local" configuration the code paths are the same, we just do some nasty tricks to pass the full SELinux label (yes, the user:role:type info as well as a ranged MLS label) and intentionally munge the checksum in case the packets ever finds itself on the wire. I also hope to merge the CALIPSO support into the netlabel_tools package soon, I just need to finish sorting out some completely unrelated audit multicast and queue problems first ... -- paul moore www.paul-moore.com _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
