Secmark, or skfilter is exactly what fireflier needs to solve the shared socket issue. Thanks for working on this. If this gets integrated in mainline, fireflier LSM will be dropped.
Is it possible to have an SELinux policy that reinjects the packets if didn't match any rules? I.e. if a program that listens on port 80 doesn't have access to the packet, (because it doesn't have the proper domain,) and the SELinux won't allow the program to read the packet: is it possible to reinject this packet in the netfilter chain, instead of dropping it? This would allow creating rules interactively (fireflier). But it could also be used for other purposes. For example: if the program that listens on that port crashes, that means no program would match the required domain+port. if in that case the packet would be reinjected, then the packet could be rerouted (by adding proper rules to mangle the packet) to a different program/computer. AFAIK this isn't currently possible with netfilter (please correct me if I'm wrong). What does the secmark currently do with packets that aren't allowed by policy to be received? P.S.: Where can I get the full secmark patches, so I can test them to see if they really fit my needs? Do you have an estimate timeline for mainline integration? (in terms of n weeks, m months) Cheers, Edwin - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
