On 9/7/10 3:27 PM, Mr Dash Four wrote: >>> Instead of manually adding "SAVE I:N", "SAVE O:N" and then "RESTORE >>> I:ER", "RESTORE O:ER" etc. at the end of each chain (as this would be >>> the most efficient way of dealing with SELinux contexts once they are >>> established) it would be nice if these things are 'optimised' and added >>> automatically by Shorewall when an appropriate option is turned on in >>> shorewall.conf (like "AUTO_CONNSECMARK=Yes" for example) so that I do >>> not have to put these manually. >>> >>> As I already pointed out - in vast majority of cases SAVE and RESTORE >>> would make sense to be placed in the above form at the end of each chain >>> so that they take care of preserving and restoring SELinux contexts in >>> connections, so why not add them automatically?
>> > Flexibility indeed! Hence why I suggested that you could add an option > (or include it as another optimisation level as you currently do with so > many other things on Shorewall) and let Shorewall users decide what to use. > > Another reason for this is that mistakes with SAVE and RESTORE are > *very* easy to make as I found out to my own cost (using SAVE > "I:N"/"RESTORE I:ER" with attaching additional parameters - ports etc - > which is an absolute rubbish thing to do!) - hence if I know that my > network deploys SELinux (which is what I aim for really) and all network > traffic is controlled I just switch this option on, Shorewall attaches > SAVE/RESTORE statements at the end of each CHAIN 'automatically' and the > only thing I need to concentrate on, as far as secmarks are concerned, > is defining the SELinux contexts for the traffic I am controlling. > > For others, who do not need/do not want to use this approach and prefer > to do everything 'manually' they can switch this option off and get on > with it without additional hassle. Very much like the optimisation > levels you have currently built in Shorewall. > > You don't take anything away, on the contrary - you provide flexibility > and keep everyone happy! I wonder if a better way to approach this might be with "secmark macros"; canned blocks of rules that can be invoked easily. We really should take this discussion onto the Development Mailing List. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ This SF.net Dev2Dev email is sponsored by: Show off your parallel programming skills. Enter the Intel(R) Threading Challenge 2010. http://p.sf.net/sfu/intel-thread-sfd
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
