I want to enable CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT in the fedora kernel series. First let me say there are almost no users at all of the SELinux networking controls at all (old=netif or new=secmark) and we do provide a flag (/selinux/compat_net) for userspace to turn it back to the old stuff if a user needs. What few users I do know who use the network controls run RHEL not fedora. RHEL5 actually shipped with this enabled. I made that choice namely because there is a performance hit with the 'old style' network controls and the new secmark controls have a much smaller penalty. I just can't see a reason to make everyone who uses Fedora pay a performance hit for network controls which never enforce any security goal, are probably going to be removed upstream, and noone uses anyway. -Eric --- tmp/config-2.6.23-0.174.rc6.fc8 2007-09-13 00:18:00.000000000 -0400 +++ tmp/config-2.6.23-0.174.rc6.fc8.new 2007-09-13 00:18:39.000000000 -0400 @@ -3330,7 +3330,7 @@ CONFIG_SECURITY_SELINUX_DISABLE=y CONFIG_SECURITY_SELINUX_DEVELOP=y CONFIG_SECURITY_SELINUX_AVC_STATS=y CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 -# CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT is not set +CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT=y # CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set CONFIG_XOR_BLOCKS=m CONFIG_ASYNC_CORE=m _______________________________________________ Fedora-kernel-list mailing list Fedora-kernel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-kernel-list
