On Thu, 22 Jun 2006, Steve Grubb wrote: > On Thursday 22 June 2006 05:00, David Miller wrote: > > > #define NETLINK_GENERIC 16 > > > +#define NETLINK_NETLABEL 17 /* Network packet labeling */ > > > > > > #define MAX_LINKS 32 > > > > Please use generic netlink. > > Since this is a security interface, shouldn't it be its own protocol so that > SE Linux can control commands being sent? Paul's patches do include a netlink > table in security/selinux/nlmsgtab.c. But I do not see any hooks to control > generic netlink messages. (There seems to be several protocols that SE Linux > is not controlling.) I could see that someone in secadm role should be able > to issue these commands, but someone at sysadm or auditadm would not. > > If moving this over to generic is a must, then I think SE Linux will have to > clip into generic to control its packet flow.
SELinux will mediate them as 'generic' netlink. Fine-grained SELinux support for generic netlink is todo. -- James Morris <[EMAIL PROTECTED]>
