On Friday, May 03, 2013 09:05:39 AM Chris PeBenito wrote: > Currently the packet class in SELinux is not checked if there are no > SECMARK rules in the security or mangle netfilter tables. Some systems > prefer that packets are always checked, for example, to protect the system > should the netfilter rules fail to load or if the nefilter rules > were maliciously flushed. > > Add the always_check_network policy capability which, when enabled, treats > SECMARK as enabled, even if there are no netfilter SECMARK rules and > treats peer labeling as enabled, even if there is no Netlabel or > labeled IPSEC configuration. For those who have forgotten the previous discussion on this I feel the need to renew my comment that if you are really serious about this you need to also provide a mechanism to validate the current secmark labeling configuration against the policy. > Includes definition of "redhat1" SELinux policy capability, which > exists in the SELinux userpace library, to keep ordering correct. This is a bit of a nit, but I might suggest submitting the "redhat1" policy capability as a distinct patch just to make it clear that it isn't really related to this change and to also document what the "redhat1" policy capability signifies. > The SELinux userpace portion of this was merged last year, but this kernel > change fell on the floor. > > Signed-off-by: Chris PeBenito <cpebenito@xxxxxxxxxx> It likely won't matter, but NACK'd in principle to get Chris to do this the right way and also provide a way to validate the secmark configuration. -- paul moore www.paul-moore.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
