On Fri, 3 Aug 2001, James Morris wrote: > However, things become more complicated if the kernel is configured with > rtnetlink enabled. This is a separate mechanism for managing the same set > of objects (see rtnetlink(7)), as well as a few others which may also need > access/audit hooks for some implementations. SELinux handles rtnetlink sockets like other sockets - it defines a distinct security class that identifies the kind of socket (netlink_socket), and it checks a permission based on the process label, the socket label, and the socket security class for each socket operation. So, the existing socket layer hooks by Chris Vance should enable us to control the ability of a process to create and use a rtnetlink socket. That doesn't provide the level of granularity that you mention, and it does mean that we end up with different checks being performed depending on whether you access the routing table via the socket or via ioctl, but it may be sufficient. -- Stephen D. Smalley, NAI Labs ssmalleyat_private _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Thu Aug 02 2001 - 12:42:46 PDT