On Thu, Sep 23, 2010 at 6:30 PM, Mr Dash Four <mr.dash.four@xxxxxxxxxxxxxx> wrote: > Whoever designed that part of the interface (it wasn't you by any chance, > was it?) thought, wrongly, that secmark means > 'show-me-the-internal-number-the-kernel-uses-to-identify-that-security-mark-for-that-particular-connection'! It was written when secmark was implemented by an SELinux hacker (and an ex-netfilter hacker) named James Morris who should have known better. James, I just cc'd you on this thread. Basically the conntrack code exported the selinux sid instead of the context to userspace via both procfs and its netlink interface. Mr Dash Four would like to show the context in both places (I'm going to stop showing the sid everywhere no matter what). Jan would like the netlink interface to show the context and the procfs interface to show nothing (since procfs is deprecated and what we have been showing has obviously gone unused) I'll throw in my 2 cents. I would like to see the proc interface 'fixed' or 'enhanced', I don't care what it is called, to show the name. However my patch series (now 6 patches long) splits the netlink and the procfs changes into separate pieces which can be selectively applied. If we can come to a consensus on the question of 'should we show nothing at all or the context in the procfs interface' then we can start the question of who wants to carry my series (since it straddles the security and the netfilter code) -Eric p.s. I'll send the series once I get the conntrack userspace code to understand my changes to make sure I didn't screw anything up. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html