James Morris wrote:
On Wed, 21 May 2008, Patrick McHardy wrote:
Pablo Neira Ayuso wrote:
As for now we only support dumping. This patch adds support to change
the secmark from ctnetlink.
I'm wondering whether this isn't subverting the intent of
secmark since AFAIK SELinux doesn't have finegrained
controls for netlink messages. OTOH, it also doesn't have
finegrained control over iptables rulesets.
James, does this patch look OK to you?
There is some fine-grained netlink coverage, but it is incomplete (the
various generic netlink layers likely need to be consolidated first).
Currently, the SECMARK and CONNSECMARK targets call out to
selinux_secmark_relabel_packet_permission() when SELinux is active to
obtain a permission check. So, detection of the current security model
would need to be similarly performed.
Thanks for the explanation.
The bigger issue perhaps is whether there's really a need to set secmark
via ctnetlink.
I think Pablo wants to use it for synchronization with conntrackd,
but I'm not sure.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
