On 11/22/2016 1:42 PM, Paul Moore wrote: > On Tue, Nov 22, 2016 at 12:32 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: >> On 11/22/2016 11:44 AM, Richard Haines wrote: >>> On Tue, 2016-11-15 at 09:28 -0800, Casey Schaufler wrote: >>>> I am looking for an SELinux configuration that uses CIPSO. >>>> Ideally, it would be based on a readily available distro, >>>> but I'm willing to perform semi-heroic acts if I have too. >>>> I'm not in a position to develop it myself, nor would that >>>> really suit my nefarious purposes. Thank you. >>>> >>> I put this together out of idle curiosity using the targeted policy as >>> no policy updates are required only netlabelctl commands. If you need >>> something else like policy config let me know and I'll see what I can >>> do. >> Hmm...wondering how hard it would be to add this to the >> selinux-testsuite, possibly run via a new Makefile target separate from >> the rest of the tests since it requires setting up two machines. > Thanks for putting that together Richard. Indeed. I have attached a tarball containing: - A Makefile for compiling and running the demos - The programs, in their respective files - The original message The programs and Makefile need copyrights and licenses. I've changed the program names so they're less generic. I execute the programs from the current directory rather than installing them in a public place. I have made no effort to make this work anywhere but on Fedora. A cool enhancement would be to auto-detect whether you're running on MachineA or MachineB. Maybe in the next round. I am also thinking about a "one-shot" option in the server and remote execution.' In any case, this is very helpful. Thank you. (Bwah Hah Hah) > I'm all for inclusion into the selinux-testsuite so long as the > default remains single host. However, for the record there is almost > *zero* difference between loopback and remote CIPSO communication so > long as the standard tags are used; if you use the "local" > configuration the code paths are the same, we just do some nasty > tricks to pass the full SELinux label (yes, the user:role:type info as > well as a ranged MLS label) and intentionally munge the checksum in > case the packets ever finds itself on the wire. > > I also hope to merge the CALIPSO support into the netlabel_tools > package soon, I just need to finish sorting out some completely > unrelated audit multicast and queue problems first ... >
Attachment:
cipso-demo.tar
Description: Binary data
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
