[redhat-lspp] status of node and netif hooks
Stephen Smalley
sds at tycho.nsa.gov
Fri Aug 11 20:00:46 UTC 2006
On Fri, 2006-08-11 at 16:34 -0300, Thiago Jung Bauermann wrote:
> Hi folks,
>
> What is the status of the node and netif hooks in light of the recent
> networking developments (secmark, CIPSO, netlabel, mlsxfrm...)? Are they
> being removed? Not removed but obsoleted? If the latter are they
> affected in their functionality?
>
> It seems secmark removes those hooks, but then a compatibility flag can
> be turned on to get them back, right?
Well, yes and no.
secmark is intended to supersede the old netif/node/port checks. There
is ongoing work to integrate secmark fully. It would be preferable if
you could use it for your purposes rather than the old checks.
If not, then there is the compat_net setting (boot param and /selinux
node), but a policy load will cheerfully overwite that at present based
on whether the policy you are loading has the new definitions for
secmark or not (in particular, the packet security class it uses). So
just setting it by hand won't help if you later load a policy that has
the packet class in it.
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list