On Tue, 2006-08-22 at 11:43 -0500, George C. Wilson wrote: > On Tue, Aug 22, 2006 at 11:21:26AM -0400, James Morris wrote: > > On Tue, 22 Aug 2006, Joe Nall wrote: > > > > > I hope secmark will make it into RH5, giving us a mechanism to label > > > individual hosts that don't support CIPSO or IPSec labeled networking. > > > > It's the default now. The old controls are only there for legacy > > purposes. > > > > > > > > - James > > -- > > James Morris > > <[EMAIL PROTECTED]> > > > > Is it acceptable to make use of the old controls for the certified > configuration? Or must we migrate to secmark? We want to avoid having to > document and test secmark so that we don't increase the scope of the TOE.
You'd need a special policy that omits the packet class, or you'd need to modify libselinux to not switch on secmark when loading policies that define that class. -- Stephen Smalley National Security Agency -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
