LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Kernel page

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Secmark explained

[Posted May 23, 2006 by corbet]

James Morris's secmark patches have been circulating for a few weeks now. Secmark is a new mechanism for filtering network packets through SELinux. Your editor had pondered writing an article about secmark, but that turns out to be unnecessary; James did it first.

The idea is to separate labeling and enforcement. Specifically: use iptables to select and label packets, then use SELinux to enforce security policy using these packet labels. This utilizes the expressiveness of iptables rulesets, as well as the flexibility of any its many matches and targets, and powerful components such as connection tracking. At the same time, enforcement of security policy remains the responsibility of the SELinux AVC, and access control rules can be meaningfully analyzed as part of overall SELinux policy analysis.

Read the full article for a detailed description of what secmark does and how to use it.

(Log in to post comments)

Secmark explained

Posted May 25, 2006 15:06 UTC (Thu) by dang (guest, #310) [Link]

The more that I think about this, the more that I like it. Very cool.

<troll_prevention>
I'm not saying that you should use SELinux if you don't like it. I'm just saying that if you *do* use or plan to use SELinux secmark seems to be a nice addition to the toolbox.
</troll_prevention>

Copyright © 2006, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds