On Tuesday 2010-10-19 13:08, Anthony G. Basile wrote: >On 10/18/2010 05:50 AM, Jan Engelhardt wrote: >> On Sunday 2010-10-17 15:52, basile@xxxxxxxxxxxxxxxxxx wrote: >> >>> This patch adds a module which is useful to users of >>> grsecurity's RBAC system. It matches packets based >>> on whether RBAC is enabled or disabled. >> >> Can you elaborate a bit on how this is useful in conjunction with >> rulesets? I could imagine it be used with LSM selctx'es for example, or >> another extension that tests for other RBAC attributes. > >The idea here is that when the RBAC rulesets are not being enforced, the >system is more vulnerable and the user wants stricter firewall rules. >When RBAC is being enforced, one can relax the firewall and access to >services which are now better protected. In practice this usually means >allowing only access to some trusted IP(s) on boot before RBAC is turned on. Thanks, I've put this into a branch that will be merged in time for the 1.31 release. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
