On Fri, 2006-08-11 at 16:34 -0300, Thiago Jung Bauermann wrote: > Hi folks, > > What is the status of the node and netif hooks in light of the recent > networking developments (secmark, CIPSO, netlabel, mlsxfrm...)? Are they > being removed? Not removed but obsoleted? If the latter are they > affected in their functionality? > > It seems secmark removes those hooks, but then a compatibility flag can > be turned on to get them back, right?
Well, yes and no. secmark is intended to supersede the old netif/node/port checks. There is ongoing work to integrate secmark fully. It would be preferable if you could use it for your purposes rather than the old checks. If not, then there is the compat_net setting (boot param and /selinux node), but a policy load will cheerfully overwite that at present based on whether the policy you are loading has the new definitions for secmark or not (in particular, the packet security class it uses). So just setting it by hand won't help if you later load a policy that has the packet class in it. -- Stephen Smalley National Security Agency -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
