[PATCH 0/2] Security: Add security tables for mandatory access control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The following patches add a new ip[6]tables "security" table, for use with 
mandatory access control (MAC) security schemes.

This follows on from an RFC post earlier in the year:
http://thread.gmane.org/gmane.linux.redhat.fedora.selinux/8490

In a nutshell, the need for this arises from the fact that MAC labeling 
rules utilizing iptables via SECMARK and CONNSECMARK are not subject to 
discretionary security policy (i.e. not even "root" or a user with 
CAP_NET_ADMIN may be able to modify these rules).

So, a separate table is proposed here to allow these administrative 
security domains to be separated, and specifically to assist with distro 
integration.

Patches for IPv4 and IPv6 follow.

Please review and consider for 2.6.27.


- James
-- 
James Morris
<jmorris@xxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux