[EMAIL PROTECTED] wrote:
> On Thu, 13 Jul 2006 17:07:32 EDT, Paul Moore said:
>
>
>>No, but I don't think anyone has tried yet. That's my next step (at
>>this moment I'm trying to fix something I broke during the last round of
>>comments) but I don't expect that to be any more of a problem them
>>trying to reconcile the existing jumble of networking hooks.
>
>
> I'll look at that this weekend as well - a quick 5-minute overview
> seems to indicate that there won't be any major code collisions, and
> Klaus Weidner's "toy policy module" shouldn't conflict on the SELinux side.
>
> Where it gets interesting is that somebody has to go through all the
> combinations (both off, both on, etc), and make sure the SECMARK tags
> added via iptables and the CIPSO tags added via netlabelctl interact
> correctly. In particular, Klaus's module has some 'allow {...}' lines
> in them - we need to make sure that those don't short-circuit and let
> through a packet that would have failed because none of the SECMARK
> rules for foo_packet_t would allow the packet, and vice versa.
>
It seems porting to 2.6.18-rc1 was even easier than expected. I just
finished up the changes and I'm starting to build a full kernel and do
some sanity checks - assuming all is well I'll post the changes to
netdev/selinux this afternoon.
--
paul moore
linux security @ hp
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
