On Tuesday, February 22, 2011 6:23:34 AM Steffen Klassert wrote: > On Wed, Feb 16, 2011 at 02:34:54PM -0500, Paul Moore wrote: > > Believe it or not, this code you are changing was done that way for a > > reason: compatibility, bug-for-bug compatibility :) > > As a selinux newbie, I'm well adviced to believe it :) > > > When the new ingress/egress controls were first introduced (check the > > archives, the patches were merged Jan 2008) the existing SELinux > > postroute code ran for every transform; this was obviously a bug that > > had persisted for some time, but considering the very strong desire to > > preserve any user/admin visible behavior, I did not fix this when I > > moved the old code up into selinux_ip_postroute_compat(). The good > > news, is that I didn't carryover this bug into the new egress controls > > as the IPsec transform check occurs before the egress controls are > > executed. > > > > So, a big NACK on this patch for compatibility reasons. In order to get > > the behavior you are looking for, make sure your policy enables the > > "network_peer_controls" policy capability. > > I just noticed that because I started with a dummy policy where I had > network_peer_controls disabled. I can easily live without that patch > of course. Ah, that would explain it. Were you using the dummy policy generated by scripts/selinux? If so, that might be a worthwhile patch to add that policy capability to the generated policy. -- paul moore linux @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
