[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
[redhat-lspp] Re: [RFC 2/7] NetLabel: core network changes
- From: James Morris <jmorris namei org>
- To: Steve Grubb <sgrubb redhat com>
- Cc: jmorris redhat com, paul moore hp com, sds epoch ncsc mil, redhat-lspp redhat com, linux-security-module vger kernel org, selinux tycho nsa gov, netdev vger kernel org, David Miller <davem davemloft net>
- Subject: [redhat-lspp] Re: [RFC 2/7] NetLabel: core network changes
- Date: Thu, 22 Jun 2006 14:58:33 -0400 (EDT)
On Thu, 22 Jun 2006, Steve Grubb wrote:
> On Thursday 22 June 2006 05:00, David Miller wrote:
> > > #define NETLINK_GENERIC 16
> > > +#define NETLINK_NETLABEL 17 /* Network packet labeling */
> > >
> > > #define MAX_LINKS 32
> >
> > Please use generic netlink.
>
> Since this is a security interface, shouldn't it be its own protocol so that
> SE Linux can control commands being sent? Paul's patches do include a netlink
> table in security/selinux/nlmsgtab.c. But I do not see any hooks to control
> generic netlink messages. (There seems to be several protocols that SE Linux
> is not controlling.) I could see that someone in secadm role should be able
> to issue these commands, but someone at sysadm or auditadm would not.
>
> If moving this over to generic is a must, then I think SE Linux will have to
> clip into generic to control its packet flow.
SELinux will mediate them as 'generic' netlink.
Fine-grained SELinux support for generic netlink is todo.
--
James Morris
<jmorris namei org>
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]