On Tue, 2006-30-05 at 10:22 -0400, James Morris wrote: > On Mon, 29 May 2006, jamal wrote: > > > If SELinux should provide ways to add "filters" more dynamically at its > > hooks - instead of having people go and look for that table and update [..] > > This is similar to what the secmark stuff does, allows selection and > labeling to be done via iptables, so the SELinux kernel stuff then just > needs to look at the labels.
hopefully SELinux is taught about such labels semantics at runtime. > In this case, I'm not sure it's worthwhile adding a filtering layer to > Netlink, probably simpler just to have the different Netlink protocols > define whether each command is one of 'read', 'write' and 'readpriv' (the > latter is pretty rare), so nothing has to be scanned on the fly at all. > We could start by just adding a check for NETLINK_GENERIC in your table (as is done generally for other netlink families/protocols with SELinux) and then do the fine-grained stuff. I think that checking for attributes instead of types will need to be generic for all of netlink. Thomas? cheers, jamal - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
