SELinux needs to use some Netfilter hooks, and I'd like to propose the
hook priorities below for the mainline kernel.
As SELinux is a mandatory access control system, it needs to be able to
look at packets before and after they may have been modified. Two
priorities are thus required.
The SELINUX_LAST priority is straightforward: this is after all mangling
and NAT has occurred.
The SELINUX_FIRST priority needs to be located before any packet
modification hooks, although it is also potentially useful if located
prior to conntrack so that SELinux has an opportunity to reject packets
before they enter the conntrack code.
Does anyone have any objections to the patch below (which I'd propose for
2.6.2), or other comments?
- James
--
James Morris
<jmorris@xxxxxxxxxx>
diff -urN -X dontdiff
linux-2.6.1-rc1-mm2.pending/include/linux/netfilter_ipv4.h
linux-2.6.1-rc1-mm2.w1/include/linux/netfilter_ipv4.h
--- linux-2.6.1-rc1-mm2.pending/include/linux/netfilter_ipv4.h 2003-09-27
20:50:51.000000000 -0400
+++ linux-2.6.1-rc1-mm2.w1/include/linux/netfilter_ipv4.h 2004-01-06
10:14:59.503138800 -0500
@@ -51,6 +51,7 @@
enum nf_ip_hook_priorities {
NF_IP_PRI_FIRST = INT_MIN,
+ NF_IP_PRI_SELINUX_FIRST = -225,
NF_IP_PRI_CONNTRACK = -200,
NF_IP_PRI_BRIDGE_SABOTAGE_FORWARD = -175,
NF_IP_PRI_MANGLE = -150,
@@ -58,6 +59,7 @@
NF_IP_PRI_BRIDGE_SABOTAGE_LOCAL_OUT = -50,
NF_IP_PRI_FILTER = 0,
NF_IP_PRI_NAT_SRC = 100,
+ NF_IP_PRI_SELINUX_LAST = 225,
NF_IP_PRI_LAST = INT_MAX,
};
|