So after a little discussion with the SELinux folks it looks like we want to turn this option on in FC7 as well. This should not be changed for old fedora releases. This option will enable secmark by default instead of the legacy network hooks for selinux. It should reduce the selinux overhead on network traffic drastically. Few if any people actually use the old network checks, but if someone is using them they are still available (though a /selinux tunable called 'compat_net') I believe the necessary bits to make use of secmark exist in the iptables packages shipped in rawhide. RHEL 5 shipped with this enabled and since most people don't use it anyway (even people who leave selinux on) all this will do is drop their overhead. -Eric _______________________________________________ Fedora-kernel-list mailing list Fedora-kernel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-kernel-list
