On Fri, 2006-08-11 at 15:32 -0500, Kris Wilson wrote: > [EMAIL PROTECTED] wrote on 08/11/2006 03:02:03 PM: > > > On Fri, 11 Aug 2006, Stephen Smalley wrote: > > > > > On Fri, 2006-08-11 at 16:34 -0300, Thiago Jung Bauermann wrote: > > > > Hi folks, > > > > > > > > What is the status of the node and netif hooks in light of the > recent > > > > networking developments (secmark, CIPSO, netlabel, mlsxfrm...)? Are > they > > > > being removed? Not removed but obsoleted? If the latter are they > > > > affected in their functionality? > > > > > > > > It seems secmark removes those hooks, but then a compatibility flag > can > > > > be turned on to get them back, right? > > > > > > Well, yes and no. > > > > > > secmark is intended to supersede the old netif/node/port checks. There > > > is ongoing work to integrate secmark fully. It would be preferable if > > > you could use it for your purposes rather than the old checks. > > > > Eventually, I think it'd be good to remove the old controls (but not for > > > some time, perhaps a year or two). > > An additional question is will the node and netif constraints remain in > the mls policy for RHEL5? From the comment above, it sounds as though > they > will.
They might be present, but they aren't achieving anything unless compat_net is enabled, because those checks are disabled. -- Stephen Smalley National Security Agency -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
