From: dominick.grift@gmail.com (Dominick Grift)
Date: Fri, 03 May 2013 09:08:29 +0200
Subject: [refpolicy] [PATCH/RFC 2/2] Add minidlna policy
In-Reply-To: <1367524372.27309.45.camel@d30>
References: <20130501183657.GA25116@siphos.be>
	<20130501183845.GC25116@siphos.be> <1367509285.27309.34.camel@d30>
	<20130502192347.GA25444@siphos.be> <1367524372.27309.45.camel@d30>
Message-ID: <1367564909.27309.49.camel@d30>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Thu, 2013-05-02 at 21:52 +0200, Dominick Grift wrote:
> On Thu, 2013-05-02 at 21:23 +0200, Sven Vermeulen wrote:
> > On Thu, May 02, 2013 at 05:41:25PM +0200, Dominick Grift wrote:
> > > > +corenet_sendrecv_trivnet1_client_packets(minidlna_t)
> > > > +corenet_sendrecv_trivnet1_server_packets(minidlna_t)
> > > > +corenet_tcp_bind_trivnet1_port(minidlna_t)
> > > > +
> > > 
> > > Another oversight
> > > 
> > > You do not need the "client_packets" interface calls if the domain does
> > > not connect to the port
> > > 
> > > In this case minidlna domain only binds tcp sockets to trivnet1 ports,
> > > and udp sockets to ssdp ports
> > 
> > I must admit, I never understood (and still don't understand) the networking
> > aspects in more detail. The corenet_sendrecv_*_packets() interfaces are for
> > the SECMARK labeled usage, right?
> 
> Good question, and i am not sure.

Looks like compat_net support may have been completely removed:

http://lists.openwall.net/netdev/2009/03/27/144

i think we need more and better, practical examples of how to use
secmark and how secmark can be configured to match the old compat_net
functionality

There is one nice how to by Dan Walsh on Linux.com, but other than that
documentation is lacking in my view