On Thu, 22 May 2008, Jan Engelhardt wrote: > > On Wednesday 2008-05-21 16:17, James Morris wrote: > > > >In a nutshell, the need for this arises from the fact that MAC labeling > >rules utilizing iptables via SECMARK and CONNSECMARK are not subject to > >discretionary security policy (i.e. not even "root" or a user with > >CAP_NET_ADMIN may be able to modify these rules). > > Yet I do not see any code to possibly prohibit changing the table. There are calls from SECMARK and CONNSECMARK into the SELinux API, which are the labeling targets. - James -- James Morris <jmorris@xxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
