On Wednesday 2008-05-21 16:17, James Morris wrote: > >In a nutshell, the need for this arises from the fact that MAC labeling >rules utilizing iptables via SECMARK and CONNSECMARK are not subject to >discretionary security policy (i.e. not even "root" or a user with >CAP_NET_ADMIN may be able to modify these rules). Yet I do not see any code to possibly prohibit changing the table. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
