On Sun, 21 May 2006, Andrew Morton wrote: > Well as discussed off-list, I'm not able to get this stuff to work. I get > a pile of these: > > security_compute_av: unrecognized class 57
This is because the userspace components have not been updated yet -- the patch just went into -mm. The workaround is to enable the old networking controls via the kernel parameter selinux_compat_net=1. Once the distro packages have been updated, this will not be necessary. All that's needed to start with in fact is a change to the startup scripts to do this at boot, depending on the package version. This is a brief temporary issue in -mm. > And I'd agree with the other commenters: if these features are compulsory > for SELinux then we might as well just `select' them. Right now it's way > too hard. Ok, I'll look into selecting them. > Even if we do that, the chances of people actually going off and finding > all the other random secmark Kconfig options and turning on the appropriate > ones seem pretty small. Needs a rethink. Perhaps a standalone secmark > menu, or just selecting everything.. > > And maybe just remove all the various netfilter secmark CONFIG options > altogether and make all the new code dependent upon the top-level > CONFIG_SECMARK. I'm not sure what you mean here. The top level secmark just enables the skb->secmark field without adding any mechanism to use it. Then, two mechanisms which have been provided (the SECMARK and CONNSECMARK) targets can be independently enabled. These are not the only possible ways of utilizing skb->secmark, so these components are configurable separately. - James -- James Morris <[EMAIL PROTECTED]> - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
