On Fri, 12 Jul 2002, James Morris wrote: > I've made SELinux dependent on Netfilter, although I'm not sure if this is > what Stephen will want to do. I tried forcing Netfilter to be configured > if SELinux was configured (via define_bool), but it didn't work if > Netfilter was disabled without viewing the security menu again. I think that I'd prefer to have SELinux "gracefully degrade" in functionality when Netfilter is not enabled. I'd suggest making the labeled networking options depend on Netfilter, but nothing else (naturally, this will require making the Netfilter-dependent code in the SELinux module conditional). Although I haven't tried it recently, it used to be the case that you could use the rest of SELinux (other than the labeled networking options) with NetFilter disabled; you would merely lose the network interface and node permission checks. The selinux_sock_rcv_skb hook function already contains a test to detect and label unlabeled network buffers to deal with the potential absence of the Netfilter-based hooks. -- Stephen D. Smalley, NAI Labs ssmalleyat_private _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri Jul 12 2002 - 05:20:49 PDT