[redhat-lspp] Netlabel/CIPSO toy policy module
Stephen Smalley
sds at tycho.nsa.gov
Thu Jun 29 17:54:12 UTC 2006
On Thu, 2006-06-29 at 08:42 -0400, Paul Moore wrote:
> With the latest patch (and the lspp.40 kernel) you probably won't need to
> switch into permissive mode to configure NetLabel for the time being. The
> reason is that the new patch uses the Generic NETLINK interface which does
> not yet have any SELinux hooks. However, rest assured the important parts of
> the NetLabel NETLINK interface are protected with CAP_NET_ADMIN.
They should still be mediated by SELinux, just not in a fine-grained
manner yet. SELinux would put them into the generic netlink_socket
class, and still perform normal create/read/write permission checks
between the process and the socket in that class. It just wouldn't
apply the finer-grained nlmsg_read/write checks based on the message
type.
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list