So I think most of us in this discussion probably don't actually understand SECMARK. I sure didn't. I think I might now, sort of. The SELinux policy just says contexts, and it doesn't say anything about the port numbers. The point of SECMARK is that you write port-matching rules that are what sets the context on those packets. You have to write those rules by hand (or somehow) or else there just aren't ever any packets anywhere that are marked with the right context so they match the SELinux policy for what the given daemon is allowed to see. So I think what one really wants is just a better level of admin/packaging coordination. That is, you would really like to write in one place both the SELinux policy and the port numbers (i.e. iptables matching rules) you want to associate with contexts. Then you want that to generate iptables rules that both allow packets and mark them, and you want those sets of rules to come along the daemon's installation or something like that such that it is easy to say "enable this daemon" and get correct iptables rules configured on your system. All that said, I probably still missed some major point about how SECMARK actually works. I have no idea. Thanks, Roland -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
