Re: [PATCH] IP hook removal for 2.4

From: Stephen Smalley (sdsat_private)
Date: Fri Jul 12 2002 - 05:17:12 PDT

  • Next message: Valdis.Kletnieksat_private: "Re: New hooks for sock structure"

    On Fri, 12 Jul 2002, James Morris wrote:
    
    > I've made SELinux dependent on Netfilter, although I'm not sure if this is
    > what Stephen will want to do.  I tried forcing Netfilter to be configured
    > if SELinux was configured (via define_bool), but it didn't work if
    > Netfilter was disabled without viewing the security menu again.
    
    I think that I'd prefer to have SELinux "gracefully degrade" in
    functionality when Netfilter is not enabled.  I'd suggest making the
    labeled networking options depend on Netfilter, but nothing else
    (naturally, this will require making the Netfilter-dependent code in the
    SELinux module conditional).  Although I haven't tried it recently, it
    used to be the case that you could use the rest of SELinux (other than
    the labeled networking options) with NetFilter disabled; you would merely
    lose the network interface and node permission checks.  The
    selinux_sock_rcv_skb hook function already contains a test to detect
    and label unlabeled network buffers to deal with the potential absence of
    the Netfilter-based hooks.
    
    --
    Stephen D. Smalley, NAI Labs
    ssmalleyat_private
    
    
    
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Fri Jul 12 2002 - 05:20:49 PDT