On Wednesday 27 February 2008 10:54:02 am Daniel J Walsh wrote: > Paul Moore wrote: > > On Wednesday 27 February 2008 9:01:31 am James Morris wrote: > >> Any further thoughts on how to push the secmark integration > >> forward? > >> > >> The secmark table patch should allow MAC rules to be administered > >> independently, and I know there has been some demand for the new > >> (well, now not so new) networking controls. > > > > When I asked this question previously the one thing that came up > > was semanage integration/compatibility. However, there didn't > > appear to be a consensus as to if that was a good idea because > > semanage has a rather simplistic view of local network controls due > > to the limitations of the legacy netif/node controls. > > > > I'm with you in that I'd really like to see all of the > > distributions shift over to using secmark. Beyond the normal > > performance improvement of moving to secmark, starting with 2.6.25 > > having both secmark and the new network_peer_controls capability > > enabled should result in a nice performance boost* over the legacy > > network controls. > > > > * No, I don't have any numbers yet, but looking at the code should > > explain why. > > I have no problem with switching to this, as long as we do NO harm. > IE Everything just works. > Nothing breaks when the user shuts down iptables. > > It needs to be exactly compatible with what we have now. > > Permissive mode has got to work. > > And it has to be before Beta 1 March 4. > > It has to be easy for a user to customize. > > Most users will never use it, so it better not be a headache. I'd like to think that at some point we can evolve the mechanisms/tools so that normal users can/will take advantage of these controls ... then again, I'm more than a little bit biased (what do you mean it's hard to use?!) and a tinge starry-eyed. Back to the real world, in 2.6.25 _all_ of the "new" networking controls (including secmark, NetLabel, and labeled IPsec) are dynamic. This means that by default there are no permission checks applied, not even unlabeled_t checks; you have to configure something (i.e. load the gun and point it at your own foot) for the controls to become active. In a sense, the new additions _should_* actually make life easier for you. * Really, I mean it this time :) -- paul moore linux security @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
