On Mon, 26 May 2008, Jan Engelhardt wrote:
> In fact, there is not even really a per-rule [rule={match,target}]
> destroy function. A new table image is loaded and atomically
> swapped with the previous one. You would rather want to call
> security_*() in the ioctl phase.
It's possible the existing coarse-grained capability check that SELinux
hooks into (cap_net_admin) is enough for rule deletion, given that we
don't know the ultimate effect of deleting rules. i.e. there may be no
point in trying to further decompose that privilege.
- James
--
James Morris
<jmorris@xxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
