On Mon, 29 May 2006, jamal wrote: > If SELinux should provide ways to add "filters" more dynamically at its > hooks - instead of having people go and look for that table and update > it then it would simplify things and we may be able to easily have > netlink users to register such filters at startup; infact we may be able > to hide this from the users in genetlink. > One could argue that if SELinux is capable of adding such filters at its > hooks, then the problem could be moved to user space policy perhaps?
This is similar to what the secmark stuff does, allows selection and labeling to be done via iptables, so the SELinux kernel stuff then just needs to look at the labels. In this case, I'm not sure it's worthwhile adding a filtering layer to Netlink, probably simpler just to have the different Netlink protocols define whether each command is one of 'read', 'write' and 'readpriv' (the latter is pretty rare), so nothing has to be scanned on the fly at all. - James -- James Morris <[EMAIL PROTECTED]> - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
