[refpolicy] [PATCH/RFC 2/2] Add minidlna policy

Dominick Grift dominick.grift at gmail.com
Fri May 3 03:08:29 EDT 2013


On Thu, 2013-05-02 at 21:52 +0200, Dominick Grift wrote:
> On Thu, 2013-05-02 at 21:23 +0200, Sven Vermeulen wrote:
> > On Thu, May 02, 2013 at 05:41:25PM +0200, Dominick Grift wrote:
> > > > +corenet_sendrecv_trivnet1_client_packets(minidlna_t)
> > > > +corenet_sendrecv_trivnet1_server_packets(minidlna_t)
> > > > +corenet_tcp_bind_trivnet1_port(minidlna_t)
> > > > +
> > > 
> > > Another oversight
> > > 
> > > You do not need the "client_packets" interface calls if the domain does
> > > not connect to the port
> > > 
> > > In this case minidlna domain only binds tcp sockets to trivnet1 ports,
> > > and udp sockets to ssdp ports
> > 
> > I must admit, I never understood (and still don't understand) the networking
> > aspects in more detail. The corenet_sendrecv_*_packets() interfaces are for
> > the SECMARK labeled usage, right?
> 
> Good question, and i am not sure.

Looks like compat_net support may have been completely removed:

http://lists.openwall.net/netdev/2009/03/27/144

i think we need more and better, practical examples of how to use
secmark and how secmark can be configured to match the old compat_net
functionality

There is one nice how to by Dan Walsh on Linux.com, but other than that
documentation is lacking in my view



More information about the refpolicy mailing list