[redhat-lspp] A quick HOW-TO on using the new CIPSO tag types

Stephen Smalley sds at tycho.nsa.gov
Wed Nov 29 19:40:12 UTC 2006 

On Wed, 2006-11-29 at 14:32 -0500, Paul Moore wrote:
> Eric Paris wrote:
> > On Wed, 2006-11-29 at 13:54 -0500, Paul Moore wrote:
> > 
> >>I just posted a set of patches to the netdev and SELinux mailing lists which add
> >>two new CIPSO tag types from the IETF draft.  These two new types allow you to
> >>transmit categories greater than 240.  See the draft for details:
> >>
> >> * http://sourceforge.net/docman/display_doc.php?docid=34650&group_id=174379
> >>
> >>For those of you who want to play with the patches you can do so with the
> >>netlabel_tools you currently have; the only change is that instead of always
> >>specifying "tags:1" when adding a CIPSO DOI definition you can now use tag types
> >>"2" and "5", or a combination.  Examples below:
> >  
> > As of right now I do not foresee this going into RHEL5 GA and thus would
> > not be part of the current LSPP certification.  It's possible that such
> > a patch could make U1 but that would be too late for certification.  So
> > I'm not sure how this howto is applicable to the LSPP effort underway.
> > This howto will clearly be of interest when we do the RHEL6 lspp effort
> > some day down the line.  If I'm misunderstanding what is needed to meet
> > LSPP and this is somehow required please let me know so we can talk
> > about what needs to be done.
> 
> I posted the how-to on the LSPP mailing list because this has become the place
> where most MLS discussions take place, regardless of whether or not they are
> related to the current LSPP efforts of RH, HP, IBM, etc.  I do not expect the
> latest patches to be included in RHEL5; I submitted the patches and the how-to
> because life goes on outside the evaluation ... and, well, it's more fun than
> the other things I have to work on :)
> 
> In the future I can post these things elsewhere if it cuts down on the confusion?

I'd favor pushing as much as possible over to selinux list (as long as
it is germane to the upstream selinux project, which this is).  Not
everyone involved in selinux follows redhat-lspp, and at times this has
led to serious disconnects. 

-- 
Stephen Smalley
National Security Agency

More information about the redhat-lspp mailing list