[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

[redhat-lspp] Re: [RFC 2/7] NetLabel: core network changes

From: Steve Grubb <sgrubb redhat com>
To: David Miller <davem davemloft net>
Cc: jmorris redhat com, paul moore hp com, sds epoch ncsc mil, redhat-lspp redhat com, linux-security-module vger kernel org, selinux tycho nsa gov, netdev vger kernel org
Subject: [redhat-lspp] Re: [RFC 2/7] NetLabel: core network changes
Date: Thu, 22 Jun 2006 11:05:00 -0400

On Thursday 22 June 2006 05:00, David Miller wrote:
> >  #define NETLINK_GENERIC              16
> > +#define NETLINK_NETLABEL     17      /* Network packet labeling */
> >  
> >  #define MAX_LINKS 32         
>
> Please use generic netlink.

Since this is a security interface, shouldn't it be its own protocol so that 
SE Linux can control commands being sent? Paul's patches do include a netlink 
table in security/selinux/nlmsgtab.c. But I do not see any hooks to control 
generic netlink messages. (There seems to be several protocols that SE Linux 
is not controlling.) I could see that someone in secadm role should be able 
to issue these commands, but someone at sysadm or auditadm would not.

If moving this over to generic is a must, then I think SE Linux will have to 
clip into generic to control its packet flow.

-Steve

Follow-Ups:
- [redhat-lspp] Re: [RFC 2/7] NetLabel: core network changes
  - From: James Morris
- [redhat-lspp] Re: [RFC 2/7] NetLabel: core network changes
  - From: David Miller

References:
- [redhat-lspp] [RFC 0/7] Updated NetLabel patch
  - From: paul . moore
- [redhat-lspp] [RFC 2/7] NetLabel: core network changes
  - From: paul . moore
- [redhat-lspp] Re: [RFC 2/7] NetLabel: core network changes
  - From: David Miller

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]