On Thursday, May 31, 2012 07:54:54 AM Christopher J. PeBenito wrote: > On 05/30/12 10:30, Paul Moore wrote: > > On Wednesday, May 30, 2012 09:22:08 AM Chris PeBenito wrote: > >> Currently the packet class in SELinux is not checked if there are no > >> SECMARK rules in the security or mangle netfilter tables. Some systems > >> prefer that packets are always checked, for example, to protect the > >> system > >> should the netfilter rules fail to load or if the nefilter rules > >> were maliciously flushed. > >> > >> Add the always_check_packets policy capability which, when enabled, > >> treats > >> SECMARK as enabled, even if there are no netfilter SECMARK rules. > > > > I'm against committing this patch without some matching mechanism to > > incorporate the secmark labeling configuration in the greater SELinux > > policy. I explained why roughly 87 times in the previous RFC email thread > > started by Chris so I'll save us all some time and not repeat it here. > > > > Ignoring my own objections for a moment and glancing at the patch, I see > > that it is incomplete/incorrect as it does not include support for the > > network peer labels. See the original RFC email thread. > > The question is if they should be tied to the same policy capability. If > so, this capability should be renamed. If not, the patch is fine, as I can > just as easily send a second patch. I'm undecided if they should be tied > together. If you're going to do one, do them all. -- paul moore www.paul-moore.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
