Re: [PATCH 3/4] add support for modifying secmark via ctnetlink

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



James Morris wrote:
On Wed, 21 May 2008, Patrick McHardy wrote:

Pablo Neira Ayuso wrote:
As for now we only support dumping. This patch adds support to change
the secmark from ctnetlink.

I'm wondering whether this isn't subverting the intent of
secmark since AFAIK SELinux doesn't have finegrained
controls for netlink messages. OTOH, it also doesn't have
finegrained control over iptables rulesets.

James, does this patch look OK to you?

There is some fine-grained netlink coverage, but it is incomplete (the various generic netlink layers likely need to be consolidated first).

Currently, the SECMARK and CONNSECMARK targets call out to selinux_secmark_relabel_packet_permission() when SELinux is active to obtain a permission check. So, detection of the current security model would need to be similarly performed.

Thanks for the explanation.

The bigger issue perhaps is whether there's really a need to set secmark via ctnetlink.

I think Pablo wants to use it for synchronization with conntrackd,
but I'm not sure.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux