On Thu, Mar 22, 2012 at 12:21:20PM +0100, Pablo Neira Ayuso wrote: > Hi Maciej, > > On Wed, Mar 21, 2012 at 01:50:59PM -0700, Maciej Żenczykowski wrote: > > > True, but CLOEXEC on iptables... I mean... how is it mandatory ? > > > > I'm not sure what you mean by mandatory. > > If this patch is needed, I think we have to stick to fcntl for > backward compatibility reasons as well. > > > iptables does potentially fork/exec modprobe to load modules. > > That can cause a selinux 'domain'/'role'/whatever-it-is-called crossing. > > You can do automated inspection of what gets carried across such > > privilege changes and any unexpected open file descriptors flag > > problems, patches like this cut down on the noise. > > Could you resend the patch including the description of the precise > problem that this fixes in selinux? No need to do it. I've applied this to git.netfilter.org. Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
