From: Karl MacMillan <kmacmillan@mentalrootkit.com>
To: "Christopher J. PeBenito" <cpebenito@tresys.com>
Cc: casey@schaufler-ca.com, Joshua Brindle <jbrindle@tresys.com>,
SELinux Mail List <selinux@tycho.nsa.gov>
Subject: Re: [PATCH 0/6] netfilter integration
Date: Wed, 26 Jul 2006 16:43:39 -0400 [thread overview]
Message-ID: <200607261643.39291.kmacmillan@mentalrootkit.com> (raw)
In-Reply-To: <1153923824.31522.19.camel@sgc.columbia.tresys.com>
On Wednesday 26 July 2006 10:23, Christopher J. PeBenito wrote:
<snip>
> So after further discussion internally, we were thinking that there
> likely not going to be intermodule dependencies. Oracle netfilter
> contexts aren't going to conflict with apache's. Modules are going to
> want to override the contexts in the base module.
>
> So we were thinking that we should do something similar to how other
> parts of the policy are manged, with having base rules, module rules,
> local rules, pre, and post rules. The pre and post rules would be
> special rules that have to come at the beginning or end of the
> netfilter_contexts file (see the 1's and 9's in my original 0/6 email).
> Then base would be low priority, module would be middle priority, and
> local would be high priority. Modules that are packaged with an app
> should have the module priority. The local priority would allow users
> to use the infrastructure to create packages for their own use, for
> example, for applying the rules to a network of machines (manually or
> policy server in the future), which would be more convenient then
> applying rules to iptables by hand on all the machines.
This sounds much better to me.
Karl
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2006-07-26 20:43 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-07-17 20:32 [PATCH 0/6] netfilter integration Christopher J. PeBenito
2006-07-17 22:34 ` Casey Schaufler
2006-07-18 0:18 ` Joshua Brindle
2006-07-18 4:03 ` Casey Schaufler
2006-07-18 15:00 ` Karl MacMillan
2006-07-25 15:36 ` Christopher J. PeBenito
2006-07-25 19:02 ` Casey Schaufler
2006-07-26 14:23 ` Christopher J. PeBenito
2006-07-26 20:43 ` Karl MacMillan [this message]
2006-07-27 15:47 ` Casey Schaufler
2006-07-27 16:10 ` Karl MacMillan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200607261643.39291.kmacmillan@mentalrootkit.com \
--to=kmacmillan@mentalrootkit.com \
--cc=casey@schaufler-ca.com \
--cc=cpebenito@tresys.com \
--cc=jbrindle@tresys.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.