On Mon, 2012-06-18 at 11:23 -0400, Joshua Brindle wrote: > Paul Moore wrote: > > On Saturday, June 16, 2012 02:56:36 PM Joshua Brindle wrote: > >> Change-Id: I47100243b04d9629d44c8962eafeacabdcd0e6d2 > >> > >> Signed-off-by: Joshua Brindle<jbrindle@xxxxxxxxxx> > >> --- > >> rootdir/init.rc | 4 ++++ > >> 1 file changed, 4 insertions(+) > >> > >> diff --git a/rootdir/init.rc b/rootdir/init.rc > >> index 7131095..bd4bc81 100644 > >> --- a/rootdir/init.rc > >> +++ b/rootdir/init.rc > >> @@ -372,6 +372,10 @@ service console /system/bin/sh > >> user shell > >> group log > >> > >> +service netlabels /system/bin/iptables-selinux.sh > >> + class core > >> + oneshot > > > > I don't know much about Android development or the boot process, but I wonder > > if it would make sense to either change the name of the service or the script > > it executes. While the script seems aptly named for its current > > functionality, the service name might become a problem if an Android user ever > > needs to enable NetLabel support. > > > > I would suggest either changing the service name to reflect the > > secmark/iptables nature of the script or changing the name of the script to > > something more generic, e.g. selinux-network.sh, so that it is less awkward if > > the script grows at some point to contain secmark labeling rules, NetLabel > > configuration, labeled IPsec, etc. > > > > That is fine. This script generally should just be the initial network state. I > fully expect that VPN apps, etc would have to do runtime label changes, both > using secmark and labeled ipsec. Up to you but if you want the script to cover general selinux network configuration, you'll want to rename it and re-spin all of the userspace patches. Or you can leave it specific to iptables and just change the name of the service in this one patch to fit that purpose. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
