• Paul Moore's avatar
    selinux: Deprecate and schedule the removal of the the compat_net functionality · 277d342f
    Paul Moore authored
    This patch is the first step towards removing the old "compat_net" code from
    the kernel.  Secmark, the "compat_net" replacement was first introduced in
    2.6.18 (September 2006) and the major Linux distributions with SELinux support
    have transitioned to Secmark so it is time to start deprecating the "compat_net"
    mechanism.  Testing a patched version of 2.6.28-rc6 with the initial release of
    Fedora Core 5 did not show any problems when running in enforcing mode.
    
    This patch adds an entry to the feature-removal-schedule.txt file and removes
    the SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT configuration option, forcing
    Secmark on by default although it can still be disabled at runtime.  The patch
    also makes the Secmark permission checks "dynamic" in the sense that they are
    only executed when Secmark is configured; this should help prevent problems
    with older distributions that have not yet migrated to Secmark.
    Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
    Acked-by: default avatarJames Morris <jmorris@namei.org>
    277d342f
feature-removal-schedule.txt 12.3 KB