On Thu, 2006-06-29 at 08:42 -0400, Paul Moore wrote: > With the latest patch (and the lspp.40 kernel) you probably won't need to > switch into permissive mode to configure NetLabel for the time being. The > reason is that the new patch uses the Generic NETLINK interface which does > not yet have any SELinux hooks. However, rest assured the important parts of > the NetLabel NETLINK interface are protected with CAP_NET_ADMIN.
They should still be mediated by SELinux, just not in a fine-grained manner yet. SELinux would put them into the generic netlink_socket class, and still perform normal create/read/write permission checks between the process and the socket in that class. It just wouldn't apply the finer-grained nlmsg_read/write checks based on the message type. -- Stephen Smalley National Security Agency -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
