[redhat-lspp] Re: [RFC 2/7] NetLabel: core network changes
James Morris
jmorris at namei.org
Thu Jun 22 18:58:33 UTC 2006
On Thu, 22 Jun 2006, Steve Grubb wrote:
> On Thursday 22 June 2006 05:00, David Miller wrote:
> > > #define NETLINK_GENERIC 16
> > > +#define NETLINK_NETLABEL 17 /* Network packet labeling */
> > >
> > > #define MAX_LINKS 32
> >
> > Please use generic netlink.
>
> Since this is a security interface, shouldn't it be its own protocol so that
> SE Linux can control commands being sent? Paul's patches do include a netlink
> table in security/selinux/nlmsgtab.c. But I do not see any hooks to control
> generic netlink messages. (There seems to be several protocols that SE Linux
> is not controlling.) I could see that someone in secadm role should be able
> to issue these commands, but someone at sysadm or auditadm would not.
>
> If moving this over to generic is a must, then I think SE Linux will have to
> clip into generic to control its packet flow.
SELinux will mediate them as 'generic' netlink.
Fine-grained SELinux support for generic netlink is todo.
--
James Morris
<jmorris at namei.org>
More information about the redhat-lspp
mailing list