Re: [PATCH 0/2] Security: Add security tables for mandatory access control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 22 May 2008, Jan Engelhardt wrote:

> 
> On Wednesday 2008-05-21 16:17, James Morris wrote:
> >
> >In a nutshell, the need for this arises from the fact that MAC labeling 
> >rules utilizing iptables via SECMARK and CONNSECMARK are not subject to 
> >discretionary security policy (i.e. not even "root" or a user with 
> >CAP_NET_ADMIN may be able to modify these rules).
> 
> Yet I do not see any code to possibly prohibit changing the table.

There are calls from SECMARK and CONNSECMARK into the SELinux API, which 
are the labeling targets.


- James
-- 
James Morris
<jmorris@xxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux