As part of the work I've been doing on security module stacking I've run up against some artifacts of the existing Smack networking code that make running Smack and SELinux at the same time quite a problem. The good news is that I can see a reasonable approach to addressing the issue. The bad news is that it may be disruptive to existing systems that count on ambient labels. It's also going to require a significant amount of work to get right in all the corner cases. The questions here include: 1. How dependent are the users of Smack on the ambient label behavior? My hope is that the answer is "what's an ambient label". 2. How much are single label hosts as set with /sys/fs/smackfs/netlabel being used? If the loopback address (127.0.0.1) got set to -CIPSO at boot time, would anyone care? 3. Does anyone have a burning desire to work on the Smack networking code? There's some pretty heavy lifting involved in this, and the existing code may not be up for the kind of change that will be required. Thank you