aboutsummaryrefslogtreecommitdiffstats
path: root/Documentation
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2008-12-31 12:54:11 -0500
committerPaul Moore <paul.moore@hp.com>2008-12-31 12:54:11 -0500
commit277d342fc423fca5e66e677fe629d1b2f8f1b9e2 (patch)
tree733f8694020df6ff8d9e21e2419b0df71aeb4351 /Documentation
parent6c2e8ac0953fccdd24dc6c4b9e08e8f1cd68cf07 (diff)
selinux: Deprecate and schedule the removal of the the compat_net functionality
This patch is the first step towards removing the old "compat_net" code from the kernel. Secmark, the "compat_net" replacement was first introduced in 2.6.18 (September 2006) and the major Linux distributions with SELinux support have transitioned to Secmark so it is time to start deprecating the "compat_net" mechanism. Testing a patched version of 2.6.28-rc6 with the initial release of Fedora Core 5 did not show any problems when running in enforcing mode. This patch adds an entry to the feature-removal-schedule.txt file and removes the SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT configuration option, forcing Secmark on by default although it can still be disabled at runtime. The patch also makes the Secmark permission checks "dynamic" in the sense that they are only executed when Secmark is configured; this should help prevent problems with older distributions that have not yet migrated to Secmark. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'Documentation')
-rw-r--r--Documentation/feature-removal-schedule.txt12
1 files changed, 12 insertions, 0 deletions
diff --git a/Documentation/feature-removal-schedule.txt b/Documentation/feature-removal-schedule.txt
index dc7c681e532..a0ed3964a21 100644
--- a/Documentation/feature-removal-schedule.txt
+++ b/Documentation/feature-removal-schedule.txt
@@ -324,3 +324,15 @@ When: 2.6.29 (ideally) or 2.6.30 (more likely)
324Why: Deprecated by the new (standard) device driver binding model. Use 324Why: Deprecated by the new (standard) device driver binding model. Use
325 i2c_driver->probe() and ->remove() instead. 325 i2c_driver->probe() and ->remove() instead.
326Who: Jean Delvare <khali@linux-fr.org> 326Who: Jean Delvare <khali@linux-fr.org>
327
328---------------------------
329
330What: SELinux "compat_net" functionality
331When: 2.6.30 at the earliest
332Why: In 2.6.18 the Secmark concept was introduced to replace the "compat_net"
333 network access control functionality of SELinux. Secmark offers both
334 better performance and greater flexibility than the "compat_net"
335 mechanism. Now that the major Linux distributions have moved to
336 Secmark, it is time to deprecate the older mechanism and start the
337 process of removing the old code.
338Who: Paul Moore <paul.moore@hp.com>