secmark=XXX mapping
Mr Dash Four
mr.dash.four at googlemail.com
Tue Sep 21 16:42:55 UTC 2010
> One item to note: xt_SECMARK.c is presently using selinux-specific
> interfaces for mapping the security context string to a sid originally,
> as well as to check permissions, manage refcounts, etc. So if you use
> the LSM hooks for mapping the secid back to a context, there will be an
> inconsistency in the interface. Likely they should all be LSM hooks and
> both include/linux/selinux.h and security/selinux/exports.c should go
> away.
>
I found a way to alter the iptables source to get that information - see
my own thread on the netfilter mailing list here -
http://www.spinics.net/lists/netfilter/msg49094.html
Whether the devs responsible for iptables/netfilter would agree to make
these changes I am not sure - I patched my own iptables and it works!
More information about the selinux
mailing list