On Sun, 21 May 2006, James Morris wrote: > > And I'd agree with the other commenters: if these features are compulsory > > for SELinux then we might as well just `select' them. Right now it's way > > too hard. > > Ok, I'll look into selecting them.
There are several problems with this. Because SELinux can only be selected as Y, using select for the secmark modules would force them also be be built statically into the kernel. Another issue is the presence of new and old Netfilter infrastructure, and there's no way the SELinux config can know whether to enable the new generic NF conntrack system or the old IP conntrack one. Then, there's the issue of forcing a specific configuration on the user: perhaps they don't want connection tracking at all and just want static controls (i.e. only use the SECMARK target, not CONNSECMARK). And how far do you go? Force the selection of FTP connection tracking? What about new conntrack targets? The only reasonable solution is to allow the user to configure what they need, with the simplest case being that only NETWORK_SECMARK is enabled as a minimum requirement for SELinux, which will result in all traffic carying the default 'unlabeled_t' marking, which thye user then needs to have an appropriate policy for. I was planning on posting detailed documentation on the new secmark scheme once it was in -mm, and having selinux_compat_net=1 as a stopgap until people either know what to configure or their distro userland is updated. (Support for secmark controls cannot be rolled out into distros until the kernel infrastructure is in an upstream kernel such as -mm). - James -- James Morris <[EMAIL PROTECTED]> - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
