On Fri, 12 Jul 2002, Stephen Smalley wrote: > I think that I'd prefer to have SELinux "gracefully degrade" in > functionality when Netfilter is not enabled. I'd suggest making the > labeled networking options depend on Netfilter, but nothing else > (naturally, this will require making the Netfilter-dependent code in the > SELinux module conditional). Ok, see attached. As the NSID API would not be useful without Netfilter, I've made NSID depend on Netfilter, and Selopt depend on NSID. > Although I haven't tried it recently, it > used to be the case that you could use the rest of SELinux (other than > the labeled networking options) with NetFilter disabled; you would merely > lose the network interface and node permission checks. The > selinux_sock_rcv_skb hook function already contains a test to detect > and label unlabeled network buffers to deal with the potential absence of > the Netfilter-based hooks. > It appears to be running ok, please let me know what you think. - James -- James Morris <jmorrisat_private>
This archive was generated by hypermail 2b30 : Fri Jul 12 2002 - 07:41:00 PDT