forked from analogdevicesinc/linux
-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
selinux: Deprecate and schedule the removal of the the compat_net fun…
…ctionality This patch is the first step towards removing the old "compat_net" code from the kernel. Secmark, the "compat_net" replacement was first introduced in 2.6.18 (September 2006) and the major Linux distributions with SELinux support have transitioned to Secmark so it is time to start deprecating the "compat_net" mechanism. Testing a patched version of 2.6.28-rc6 with the initial release of Fedora Core 5 did not show any problems when running in enforcing mode. This patch adds an entry to the feature-removal-schedule.txt file and removes the SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT configuration option, forcing Secmark on by default although it can still be disabled at runtime. The patch also makes the Secmark permission checks "dynamic" in the sense that they are only executed when Secmark is configured; this should help prevent problems with older distributions that have not yet migrated to Secmark. Signed-off-by: Paul Moore <[email protected]> Acked-by: James Morris <[email protected]>
- Loading branch information
Showing
4 changed files
with
23 additions
and
38 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -324,3 +324,15 @@ When: 2.6.29 (ideally) or 2.6.30 (more likely) | |
Why: Deprecated by the new (standard) device driver binding model. Use | ||
i2c_driver->probe() and ->remove() instead. | ||
Who: Jean Delvare <[email protected]> | ||
|
||
--------------------------- | ||
|
||
What: SELinux "compat_net" functionality | ||
When: 2.6.30 at the earliest | ||
Why: In 2.6.18 the Secmark concept was introduced to replace the "compat_net" | ||
network access control functionality of SELinux. Secmark offers both | ||
better performance and greater flexibility than the "compat_net" | ||
mechanism. Now that the major Linux distributions have moved to | ||
Secmark, it is time to deprecate the older mechanism and start the | ||
process of removing the old code. | ||
Who: Paul Moore <[email protected]> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters