On Friday 13 February 2009 05:17:13 pm chanson@xxxxxxxxxxxxx wrote: > You are correct, we want to keep the existing overrides, but not provide > anymore overrides. The network interface / node checking rope should be > very short. The few exceptions of unlabeled_t or kernel_t. kernel_t was > necessary for nfs awhile back (may not be necessary now), probably > iSCSI, or basically things where the kernel is generating the packet > instead of a process and not assuming other credentials. Well, I suppose we can take the minimalistic, aka "short rope", approach right now since the ingress/egress controls are still new and not really integrated into policy in the form of templates. As we continue to develop the policy and we find a need for them we can always [re-]add them. Unless anyone chimes in over the weekend or next Monday I'll respin a patch next week. Just out of curiosity, are you guys using any of the new stuff or are you still using your own special kernel with the rejected network controls? I ask because I would be curious about any feedback you might have on the new bits in mainline. -- paul moore linux @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
