On Thursday 2008-05-22 00:43, James Morris wrote: >On Thu, 22 May 2008, Jan Engelhardt wrote: >> On Wednesday 2008-05-21 16:17, James Morris wrote: >> > >> >In a nutshell, the need for this arises from the fact that MAC labeling >> >rules utilizing iptables via SECMARK and CONNSECMARK are not subject to >> >discretionary security policy (i.e. not even "root" or a user with >> >CAP_NET_ADMIN may be able to modify these rules). >> >> Yet I do not see any code to possibly prohibit changing the table. > >There are calls from SECMARK and CONNSECMARK into the SELinux API, which >are the labeling targets. But you cannot deny the deletion of a rule from within SECMARK— there is not even a ->destroy function in that module. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
