On Mon, Aug 28, 2006 at 02:05:50PM -0400, Linda Knippers wrote: > Stephen Smalley wrote: > > Using compat_net isn't difficult; it just requires reverting the change > > to libselinux so that it won't be overwritten upon policy load, and then > > putting something in your certification package to enable it manually, > > most likely by echo'ing a 1 to /selinux/compat_net from rc.sysinit or > > similar. So that is certainly doable if you need it. > > I didn't see any more mail on this subject but reverting the change > to libselinux sounds like a good idea to me, even if we do include > secmark in the LSPP evaluation. If the default for the kernel parameter > is to use secmark then the only people who have to worry about the > setting are the ones who want legacy controls. Having a way for them > to turn it on without it being turned off again seems like a good > idea. >
I agree. There is no need to have compatibility code if it can't actually be used. And my preference would be to use compat_net for LSPP. The better solution would be to include secmark. But doing so would be a significant hit to test and documentation. I am hoping to discuss at the meeting this afternoon. -- George Wilson <[EMAIL PROTECTED]> IBM Linux Technology Center -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
