On Sat, 27 May 2006, James Morris wrote: > One of the problems is that different Netlink protocols bury their > commands at different levels, so the SELinux code has to know how how deep > to dig (and then do the digging) to determine exactly which command is > being called.
Actually, a possible solution here is to completely remove all internal knowledge of netlink messages from SELinux and have the netfilter framework and protocols provide methods to determine message types and permissions. One of the issues still to resolve for SELinux and generic netlink is that we don't know what the netlink protocol for the socket really is until messages are sent over it, so some socket-level perms for NETLINK_GENERIC will have to be handed out to all potential users (although actual transfer of data can be mediated at a finer granularity). - James -- James Morris <[EMAIL PROTECTED]> - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
