[redhat-lspp] mls level to without classification
James Morris
jmorris at redhat.com
Tue Aug 22 23:20:08 UTC 2006
On Tue, 22 Aug 2006, Joe Nall wrote:
>
> On Aug 22, 2006, at 11:43 AM, George C. Wilson wrote:
>
> > Is it acceptable to make use of the old controls for the certified
> > configuration? Or must we migrate to secmark? We want to avoid
> > having to
> > document and test secmark so that we don't increase the scope of
> > the TOE.
>
> Two questions:
> 1) Without secmark, is it possible to label an IP address?
Yes. You can label 'nodes' (addr/mask), ports and interfaces.
> 2) If secmark is present and enabled in RH5, how do you
> remove it from the TOE? By administrative fiat or real
> code change?
You can disable secmark controls at boot or runtime:
/usr/src/linux/Documentation/kernel-parameters.txt
selinux_compat_net =
[SELINUX] Set initial selinux_compat_net flag value.
Format: { "0" | "1" }
0 -- use new secmark-based packet controls
1 -- use legacy packet controls
Default value is 0 (preferred).
Value can be changed at runtime via
/selinux/compat_net.
--
James Morris
<jmorris at redhat.com>
More information about the redhat-lspp
mailing list