On Fri, 10 Jan 2014 21:25:47 +0200 Victor Porton <porton@xxxxxxxx> wrote: > I propose to create a new NetFilter table dedicated to rules created > programmatically (not by explicit admin's iptables command). > > Otherwise an admin could be tempted to say `iptables -F security` > which would probably break rules created for example by sandboxing > software (which may follow same-origin policy to restrict one > particular program to certain domain and port only). Note that in > this case `iptables -F security` is a security risk (sandbox > breaking)? > > New table could be possibly be called: > > - temp > - temporary > - auto > - automatic > - volatile > - daemon > - system > - sys > > In iptables docs it should be said that this table should not be > manipulated manually. > Just like the last thread, this one is also completely unrelated to SELinux. And it doesn't make sense anyway. Only the admin can manipulate netfilter rules, so he'll know if the can flush them or not. If you want to separate automatically-created rules (which is a good idea), just put them in a separate *chain*, not a separate *table*. Side note: Even assuming creating such a table would make any sense, one wouldn't suffice, you'd have to create five of them. And if you're still prefer to create new kernel interfaces for your specific requirements instead of using the well thought-out and much more flexible preexisting ones -- nobody keeps you from patching your kernel, just don't try to upstream them. -- Luis Ressel <aranea@xxxxxxxx> GPG fpr: F08D 2AF6 655E 25DE 52BC E53D 08F5 7F90 3029 B5BD
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
