enable CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT
Eric Paris
eparis at redhat.com
Wed Sep 12 14:38:41 UTC 2007
I want to enable CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT in the
fedora kernel series. First let me say there are almost no users at all
of the SELinux networking controls at all (old=netif or new=secmark) and
we do provide a flag (/selinux/compat_net) for userspace to turn it back
to the old stuff if a user needs. What few users I do know who use the
network controls run RHEL not fedora. RHEL5 actually shipped with this
enabled. I made that choice namely because there is a performance hit
with the 'old style' network controls and the new secmark controls have
a much smaller penalty. I just can't see a reason to make everyone who
uses Fedora pay a performance hit for network controls which never
enforce any security goal, are probably going to be removed upstream,
and noone uses anyway.
-Eric
--- tmp/config-2.6.23-0.174.rc6.fc8 2007-09-13 00:18:00.000000000 -0400
+++ tmp/config-2.6.23-0.174.rc6.fc8.new 2007-09-13 00:18:39.000000000 -0400
@@ -3330,7 +3330,7 @@ CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
-# CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT is not set
+CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT=y
# CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set
CONFIG_XOR_BLOCKS=m
CONFIG_ASYNC_CORE=m
More information about the Fedora-kernel-list
mailing list