On Monday, May 14, 2012 01:17:30 PM Stephen Smalley wrote: > Didn't the old behavior lead to the undesirable result that refpolicy > allows every domain (or at least every domain that does networking) to > send/recv unlabeled packets, such that you cannot effectively employ > SECMARK unless you first modify and rebuild your entire policy to take > away the unlabeled packet access? Whereas with the new behavior one > could drop those rules and then when someone does enable SECMARK, they > get to fully define the allowable network traffic? Yep. > I'm not adverse to making it optional/configurable, but I think a policy > capability is how you should do it. That is what they are for, and they > are supposed to provide a more explicit mechanism than either the > handle_unknown logic or the old compat_net logic ... *If* we decide to go this route, I agree, policy capabilities seem to be the best fit. However, as I said earlier in my emails to Chris, I'm still not certain this actually accomplishes anything useful. -- paul moore www.paul-moore.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
