First page Back Continue Last page Overview Graphics
SECMARK
Motivation: Existing SELinux network controls very limited in expressiveness and coverage.
Solution: Separate labeling from enforcement.
- Use iptables to select and label packets.
- Use SELinux to enforce policy based on those labels.
Userland and policy integration incomplete.
Compatibility mode for legacy controls (compat_net).