Stephen Smalley wrote: > Using compat_net isn't difficult; it just requires reverting the change > to libselinux so that it won't be overwritten upon policy load, and then > putting something in your certification package to enable it manually, > most likely by echo'ing a 1 to /selinux/compat_net from rc.sysinit or > similar. So that is certainly doable if you need it.
I didn't see any more mail on this subject but reverting the change to libselinux sounds like a good idea to me, even if we do include secmark in the LSPP evaluation. If the default for the kernel parameter is to use secmark then the only people who have to worry about the setting are the ones who want legacy controls. Having a way for them to turn it on without it being turned off again seems like a good idea. -- ljk -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
